Project

General

Profile

Bug #321

mod_fastcgi authorizers cannot protect fastcgi responders

Added by Anonymous over 11 years ago. Updated 8 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_fastcgi
Target version:
Start date:
Due date:
% Done:

100%

Missing in 1.5.x:

Description

lighttpd will serve a fastcgi as a static file if an authorizer is setup to protect its parent location.

For example,
if a fastcgi authorizer is setup to protect /test/
and a responder is setup at /test/test.fcgi, lighttpd will return the binary contents of test.fcgi (or a 404 if /test/test.fcgi is a remote responder).

This is because the mechanism to tell mod_fastcgi that it has already authorized a request never accounted for this need.

-- cpisto

fastcgi-authorizer-fixes.diff View - All fastcgi mode=authorizer fixes (Variable- env works, proper re-dispatching, and assert failure fix when auth is running in front of cgi). (6.61 KB) maherb, 2006-06-20 12:02

Associated revisions

Revision 2dcfe173 (diff)
Added by gstrauss 8 months ago

[mod_fastcgi] Authorizer support with Responder (fixes #321, fixes #322)

import Variable-* from FastCGI authorizer response into con->environment
restart request after FastCGI authorizer if no fastcgi.server docroot

(thx Christoph Kreutzer for initial patch attempt)

x-ref:
"mod_fastcgi authorizers cannot protect fastcgi responders"
http://redmine.lighttpd.net/issues/321

x-ref:
"FastCGI Authorizer support for Variable-name variable passing"
http://redmine.lighttpd.net/issues/322

github: closes #70

Revision 7ef569b2 (diff)
Added by Christoph Kreutzer 8 months ago

[tests] test coverage for issues (#321, #322)

FastCGI Authorizer support with FastCGI Responders

x-ref:
"mod_fastcgi authorizers cannot protect fastcgi responders"
http://redmine.lighttpd.net/issues/321

x-ref:
"FastCGI Authorizer support for Variable-name variable passing"
http://redmine.lighttpd.net/issues/322

Revision 7b7350ee (diff)
Added by gstrauss 8 months ago

[mod_fastcgi] allow authorizer, responder for same path/ext (#321)

allow authorizer and responder to be configured for same path or ext

x-ref:
"mod_fastcgi authorizers cannot protect fastcgi responders"
https://redmine.lighttpd.net/issues/321

History

#1 Updated by maherb almost 11 years ago

This seems like a pretty important detail, and if you are going to advertise the fact that you support a fastcgi authorizer, you should probably warn users about this defect .

#2 Updated by maherb over 10 years ago

  • Status changed from New to Assigned

#3 Updated by jan almost 10 years ago

  • Status changed from Assigned to Fixed
  • Resolution set to invalid

We are only following the FastCGI spec.

In 1.5.0 we added X-Rewrite which fixes this is a generic way.

#4 Updated by Anonymous over 9 years ago

Where in the spec does it say that an authorizer can only protect static files? I just wasted an entire day writing an MySQL authorizer just to realize that LightTPD's implementation of the authorizer mode can only be used to protect static files and only if the mod_fastcgi matches URLs using file extensions. If URLs are matched using a path prefix, mod_fastcgi appends the prefix to the docroot and completely forgets about the rest of the URL. This so useless that I wonder why the authorizer support actually exists in mod_fastcgi. The attached patch looks sane to me, can't you apply it and get on with it? I don't really want to wait another year until 1.5 comes out, if at all.

#5 Updated by stbuehler over 8 years ago

  • Status changed from Fixed to Invalid

#6 Updated by gstrauss 8 months ago

  • Description updated (diff)
  • Status changed from Invalid to Patch Pending
  • Target version set to 1.4.42

#7 Updated by gstrauss 8 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom