Project

General

Profile

Actions

Bug #2522

closed

Missing authentication when using mod_index

Added by dirk4000 over 10 years ago. Updated almost 8 years ago.

Status:
Invalid
Priority:
Normal
Category:
-
Target version:
-
ASK QUESTIONS IN Forums:

Description

When protecting a resource /index.html and using the index files feature, the required authentication is missing when accessing the uri http://deviceName but occurs when accessing http://deviceName/index.html.
Please don't say that it is a feature, it is definitely a bug.
Look at mod_rewrite in order to see how to handle authentification correctly (after rewriting / to /index.html, authentification takes place :)).

  1. Include config variables.
    include "mimetype.conf"
  2. Include necessary modules.
    server.modules = ("mod_auth", "mod_setenv", "mod_fastcgi", "mod_alias", "mod_rewrite", "mod_redirect" )
    var.auth_useradmin = ("method" => "digest", "realm" => "protected area","require" => "user=Admin|user=User" )
    auth.require = (
    "/index.html" => auth_useradmin
    }
  3. index file names
    index-file.names += ("index.html")
    ...

Files

mod_auth.c.patch (771 Bytes) mod_auth.c.patch giuse_pes, 2013-11-24 12:38
Actions #1

Updated by stbuehler over 10 years ago

  • Assignee deleted (stbuehler)

auth.require matches urls, but index-files.names is about the physical file name mapping - it never changes the url.

While I do get that this is unexpected and bad for some users, this is a direct result of the design of both modules.

Actions #2

Updated by stbuehler over 10 years ago

  • Project changed from Lighttpd2 to Lighttpd
  • Missing in 1.5.x set to No
Actions #3

Updated by giuse_pes over 10 years ago

Since I am not a Lighhttp developer I cannot assign this issue to me. However, I am working on it and I should get it done by the end of this weekend.
This is the configuration file that I use to reproduce it :

server.document-root = "/var/www/localhost/htdocs" 
server.port = 80

server.username = "test" 
server.groupname = "test" 

server.modules = ("mod_auth", "mod_setenv", "mod_fastcgi", "mod_alias", "mod_rewrite", "mod_redirect" )
dir-listing.activate = "enable" 

mimetype.assign = (
  ".html" => "text/html", 
  ".txt" => "text/plain",
  ".jpg" => "image/jpeg",
  ".png" => "image/png" 
)

static-file.exclude-extensions = ( ".fcgi", ".php", ".rb", "~", ".inc" )
index-file.names = ( "index.html" )

auth.debug                  = 2
auth.backend                = "plain" 
auth.backend.plain.userfile = "/home/lighttpd/lighttpd.user" 
auth.require = ( "/private/index.html" =>
(
        "method" => "basic",
        "realm" => "test",
        "require" => "user=test" 
)
)

Thanks.
Giuseppe

Actions #4

Updated by giuse_pes over 10 years ago

The bug is fixed by the patch attached to this comment. The authentication process was called before the index file was appended to the uri ( this action is performed by mod_index), therefore an incorrect path was used by mod_auth when a request for a resource identified by an index file was made.
After applying the patch, the mod_indexfile_subrequest function (which appends the index to a uri) is called before the authentication process starts.

Actions #5

Updated by stbuehler over 10 years ago

Your patch is dangerous; it is on purpose that mod_auth is called early before anything else happens.

Actions #6

Updated by giuse_pes over 10 years ago

@stbuehler. Thank you for checking my patch. I guess you are right, but can you explain me why?

Possible alternative solution, the index file can be appended to the uri in the mod_auth before it verify the URI. However, it 's difficult to retrieve the values of the index files from the mod_auth since these values are not directly accessible. This is the reason why I have inverted the order.

Actions #7

Updated by stbuehler over 10 years ago

I think you have to be more careful; you assumed that this needs to be fixed in some way, and didn't consider that if you force it, you might make it worse.

In this case we have to consider that mod_auth might block the directory, but not the index file (nested in some $HTTP["url"] conditional for example); so changing the order would suddenly allow requests to work that are blocked right now.

Other modules might trigger actions in handlers that come after mod_auth now, but your change might make them get called earlier, removing the protection on those actions.

In this case we probably should restart the request handling, as mod_indexfile modifies con->uri.path and should (but doesn't, another bug) also reset all $HTTP["url"] results (which are cached). (this is similar to what mod_rewrite does)

Actions #8

Updated by darix over 10 years ago

  • Target version changed from 1.4.34 to 1.4.35
Actions #9

Updated by stbuehler about 10 years ago

  • Status changed from Patch Pending to Reopened
  • Priority changed from High to Normal
  • Target version changed from 1.4.35 to 1.4.x
Actions #10

Updated by gstrauss over 8 years ago

Reiterating what @stbuehler said:

auth.require matches urls, but index-files.names is about the physical file name mapping - it never changes the url.

While I do get that this is unexpected and bad for some users, this is a direct result of the design of both modules.

mod_auth checks URI requested by client for authorization.

mod_indexfile maps a URI to a physical path, and operates only on URI, requested by client, which end in '/'.
mod_indexfile handles the request after mod_auth checks the URI requested by the client.
You might think about it in such a way that URI requested by the client has been authorized by mod_auth, and is then handled by mod_indexfile (without modifying URI requested by client). (In an alternative implementation, URI could be modified internally, but that is not how mod_indexfile currently behaves)

Perhaps you're looking to authorize both explicit requests for index.html and requests for URI paths ending in '/', which might be handled by mod_indexfile:


var.auth_useradmin = ( "method" => "digest", "realm" => "protected area", "require" => "user=Admin|user=User" )
# require auth for URI which directly request index.html as well as for URI
# which end in '/' and might be handled by mod_indexfile or mod_dirlisting
$HTTP["url"] =~ "/(index.html)?$" {
  auth.require = ("" => auth_useradmin)
}

Actions #11

Updated by gstrauss about 8 years ago

  • Status changed from Reopened to Invalid

config file solution provided for selective protection of indexfile and dirlisting.

Most users enabling auth will do so for an entire path, e.g. /foo/, and are not as selective in auth requirements as in this ticket.

Actions #12

Updated by stbuehler almost 8 years ago

  • Target version deleted (1.4.x)
Actions

Also available in: Atom