Feature #527
closedAllow backreferences in mod_auth
Description
Backreferences in mod_auth can be very useful -- in my case, I wanted to require user=%1 for access to /home/(.*)/. With 4000 fluctuating users, statically configuring this is not reasonable. So I've patched mod_auth to allow backreferences, and added a new routine (config_substitute_cond_match_buffer) to configfile-glue that wraps config_append_cond_match_buffer() to allow this to be easy to do with other modules (I can imagine it being useful for changing documentroot, for instance). I'm marking this as "core" because of the changes to plugin.h/configfile-glue.c.
Patch (I'll attach the changed files, from the 1.4.9 release, if the next screen lets me do that):
--- ./plugin.h Mon Aug 15 04:28:56 2005
+++ /home/nathanw/lighttpdpatch/plugin.h Thu Feb 16 00:55:37 2006
@@ -88,5 +88,6 @@
int config_patch_connection(server *srv, connection *con, comp_key_t comp);
int config_check_cond(server *srv, connection *con, data_config *dc);
int config_append_cond_match_buffer(connection *con, data_config *dc, buffer *buf, int n);
+int config_substitute_cond_match_buffer(connection *con, data_config *dc, buffer *in, buffer *out);
#endif
--- ./mod_auth.c Sun Jan 29 06:34:25 2006
+++ /home/nathanw/lighttpdpatch/mod_auth.c Thu Feb 16 00:55:38 2006
@@ -127,6 +127,7 @@
/* condition didn't match */
if (!config_check_cond(srv, con, dc)) continue;
+ p->conf.context = dc;
/* merge config */
for (j = 0; j < dc->value->used; j++) {
data_unset *du = dc->value->data[j];
@@ -215,8 +216,18 @@
/* nothing to do for us */
if (auth_required == 0) return HANDLER_GO_ON;
-
- req = ((data_array *)(p->conf.auth_require->data[k]))->value;
+
+ {
+ array *req_pre;
+ data_config *dc;
+
+ req_pre = ((data_array *)(p->conf.auth_require->data[k]))->value;
+ dc = p->conf.context;
+ req = array_init_array(req_pre);
+
+ config_substitute_cond_match_buffer(con,dc,((data_string *)array_get_element(req_pre,"realm"))->value,((data_string *)array_get_element(req,"realm"))->value);
+ config_substitute_cond_match_buffer(con,dc,((data_string *)array_get_element(req_pre,"require"))->value,((data_string *)array_get_element(req,"require"))->value);
+ }
/* try to get Authorization-header */
@@ -247,7 +258,8 @@
con->http_status = 400;
/* a field was missing */
-
+
+ array_free(req);
return HANDLER_FINISHED;
}
}
@@ -286,13 +298,15 @@
} else {
/* evil */
}
+ array_free(req);
return HANDLER_FINISHED;
} else {
/* the REMOTE_USER header */
buffer_copy_string_buffer(con->authed_user, p->auth_user);
}
-
+
+ array_free(req);
return HANDLER_GO_ON;
}
--- ./http_auth.h Sun Aug 14 09:12:31 2005
+++ /home/nathanw/lighttpdpatch/http_auth.h Thu Feb 16 00:55:36 2006
@@ -44,6 +44,9 @@
buffer *ldap_filter_pre;
buffer *ldap_filter_post;
#endif
+
+ /* context */
+ data_config *context;
} mod_auth_plugin_config;
typedef struct {
--- ./configfile-glue.c Fri Sep 30 06:53:44 2005
+++ /home/nathanw/lighttpdpatch/configfile-glue.c Thu Feb 16 00:55:37 2006
@@ -443,3 +443,30 @@
return 1;
}
+int config_substitute_cond_match_buffer(connection *con, data_config *dc, buffer *in, buffer *out) {
+ const char *pattern;
+ size_t pattern_len;
+ int n, k, start, end;
+
+ pattern = in->ptr;
+ pattern_len = in->used - 1;
+ start = end = 0;
+
+ buffer_reset(out);
+ for (k = 0; k < pattern_len; k++) {
+ if (pattern[k] == '%' && isdigit(pattern[k+1])) {
+ n = pattern[k+1] - '0';
+ end = k;
+
+ buffer_append_string_len(out,pattern+start, end-start);
+ if (!config_append_cond_match_buffer(con,dc,out,n))
+ return -1;
+
+ start = k+2;
+ }
+ }
+
+ buffer_append_string_len(out,pattern+start, pattern_len-start);
+ return 1;
+}
+
-- nathanw
Updated by Anonymous almost 18 years ago
Why hasn't this been adopted yet? I'm in the exact same need to make some kind of user-based access control to webdav...
Updated by stbuehler over 16 years ago
- Status changed from New to Fixed
- Resolution set to wontfix
the lighty config is not a script.
Also available in: Atom