Mercurial > hg > nginx-quic
annotate src/http/modules/ngx_http_auth_basic_module.c @ 9049:a10210a45c8b
Core: stricter UTF-8 handling in ngx_utf8_decode().
An UTF-8 octet sequence cannot start with a 11111xxx byte (above 0xf8),
see https://datatracker.ietf.org/doc/html/rfc3629#section-3. Previously,
such bytes were accepted by ngx_utf8_decode() and misinterpreted as 11110xxx
bytes (as in a 4-byte sequence). While unlikely, this can potentially cause
issues.
Fix is to explicitly reject such bytes in ngx_utf8_decode().
author | Yugo Horie <u5.horie@gmail.com> |
---|---|
date | Thu, 23 Feb 2023 08:09:50 +0900 |
parents | d26db4f82d7d |
children |
rev | line source |
---|---|
503 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
503 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_http.h> | |
3922
9c057d5e1c27
"$apr1", "{PLAIN}", and "{SSHA}" password methods in auth basic module
Igor Sysoev <igor@sysoev.ru>
parents:
3887
diff
changeset
|
11 #include <ngx_crypt.h> |
503 | 12 |
13 | |
14 #define NGX_HTTP_AUTH_BUF_SIZE 2048 | |
15 | |
16 | |
17 typedef struct { | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
18 ngx_http_complex_value_t *realm; |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
19 ngx_http_complex_value_t *user_file; |
503 | 20 } ngx_http_auth_basic_loc_conf_t; |
21 | |
22 | |
23 static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r); | |
24 static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
25 ngx_str_t *passwd, ngx_str_t *realm); |
503 | 26 static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r, |
27 ngx_str_t *realm); | |
28 static void *ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf); | |
29 static char *ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, | |
30 void *parent, void *child); | |
681 | 31 static ngx_int_t ngx_http_auth_basic_init(ngx_conf_t *cf); |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
32 static char *ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
33 void *conf); |
503 | 34 |
35 | |
36 static ngx_command_t ngx_http_auth_basic_commands[] = { | |
37 | |
38 { ngx_string("auth_basic"), | |
631 | 39 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF |
40 |NGX_CONF_TAKE1, | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
41 ngx_http_set_complex_value_slot, |
503 | 42 NGX_HTTP_LOC_CONF_OFFSET, |
43 offsetof(ngx_http_auth_basic_loc_conf_t, realm), | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
44 NULL }, |
503 | 45 |
46 { ngx_string("auth_basic_user_file"), | |
631 | 47 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF |
48 |NGX_CONF_TAKE1, | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
49 ngx_http_auth_basic_user_file, |
503 | 50 NGX_HTTP_LOC_CONF_OFFSET, |
51 offsetof(ngx_http_auth_basic_loc_conf_t, user_file), | |
52 NULL }, | |
53 | |
54 ngx_null_command | |
55 }; | |
56 | |
57 | |
667 | 58 static ngx_http_module_t ngx_http_auth_basic_module_ctx = { |
509 | 59 NULL, /* preconfiguration */ |
681 | 60 ngx_http_auth_basic_init, /* postconfiguration */ |
503 | 61 |
62 NULL, /* create main configuration */ | |
63 NULL, /* init main configuration */ | |
64 | |
65 NULL, /* create server configuration */ | |
66 NULL, /* merge server configuration */ | |
67 | |
68 ngx_http_auth_basic_create_loc_conf, /* create location configuration */ | |
69 ngx_http_auth_basic_merge_loc_conf /* merge location configuration */ | |
70 }; | |
71 | |
72 | |
73 ngx_module_t ngx_http_auth_basic_module = { | |
509 | 74 NGX_MODULE_V1, |
503 | 75 &ngx_http_auth_basic_module_ctx, /* module context */ |
76 ngx_http_auth_basic_commands, /* module directives */ | |
77 NGX_HTTP_MODULE, /* module type */ | |
541 | 78 NULL, /* init master */ |
681 | 79 NULL, /* init module */ |
541 | 80 NULL, /* init process */ |
81 NULL, /* init thread */ | |
82 NULL, /* exit thread */ | |
83 NULL, /* exit process */ | |
84 NULL, /* exit master */ | |
85 NGX_MODULE_V1_PADDING | |
503 | 86 }; |
87 | |
88 | |
89 static ngx_int_t | |
90 ngx_http_auth_basic_handler(ngx_http_request_t *r) | |
91 { | |
92 off_t offset; | |
93 ssize_t n; | |
94 ngx_fd_t fd; | |
539 | 95 ngx_int_t rc; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
96 ngx_err_t err; |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
97 ngx_str_t pwd, realm, user_file; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
98 ngx_uint_t i, level, login, left, passwd; |
503 | 99 ngx_file_t file; |
100 ngx_http_auth_basic_loc_conf_t *alcf; | |
101 u_char buf[NGX_HTTP_AUTH_BUF_SIZE]; | |
102 enum { | |
103 sw_login, | |
104 sw_passwd, | |
105 sw_skip | |
106 } state; | |
107 | |
108 alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_basic_module); | |
109 | |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
110 if (alcf->realm == NULL || alcf->user_file == NULL) { |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
111 return NGX_DECLINED; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
112 } |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
113 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
114 if (ngx_http_complex_value(r, alcf->realm, &realm) != NGX_OK) { |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
115 return NGX_ERROR; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
116 } |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
117 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
118 if (realm.len == 3 && ngx_strncmp(realm.data, "off", 3) == 0) { |
1786
adca43955f79
return NGX_DECLINED if access directives are not active,
Igor Sysoev <igor@sysoev.ru>
parents:
1352
diff
changeset
|
119 return NGX_DECLINED; |
503 | 120 } |
121 | |
539 | 122 rc = ngx_http_auth_basic_user(r); |
503 | 123 |
539 | 124 if (rc == NGX_DECLINED) { |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
125 |
5433
c37f34bda5ea
Auth basic: "info" logging level on no user/password.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4948
diff
changeset
|
126 ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
127 "no user/password was provided for basic authentication"); |
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
128 |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
129 return ngx_http_auth_basic_set_realm(r, &realm); |
503 | 130 } |
131 | |
539 | 132 if (rc == NGX_ERROR) { |
503 | 133 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
134 } | |
135 | |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
136 if (ngx_http_complex_value(r, alcf->user_file, &user_file) != NGX_OK) { |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
137 return NGX_ERROR; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
138 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
139 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
140 fd = ngx_open_file(user_file.data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); |
503 | 141 |
142 if (fd == NGX_INVALID_FILE) { | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
143 err = ngx_errno; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
144 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
145 if (err == NGX_ENOENT) { |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
146 level = NGX_LOG_ERR; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
147 rc = NGX_HTTP_FORBIDDEN; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
148 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
149 } else { |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
150 level = NGX_LOG_CRIT; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
151 rc = NGX_HTTP_INTERNAL_SERVER_ERROR; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
152 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
153 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
154 ngx_log_error(level, r->connection->log, err, |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
155 ngx_open_file_n " \"%s\" failed", user_file.data); |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
156 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
157 return rc; |
503 | 158 } |
159 | |
160 ngx_memzero(&file, sizeof(ngx_file_t)); | |
161 | |
162 file.fd = fd; | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
163 file.name = user_file; |
503 | 164 file.log = r->connection->log; |
165 | |
166 state = sw_login; | |
167 passwd = 0; | |
168 login = 0; | |
169 left = 0; | |
170 offset = 0; | |
171 | |
172 for ( ;; ) { | |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
173 i = left; |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
174 |
503 | 175 n = ngx_read_file(&file, buf + left, NGX_HTTP_AUTH_BUF_SIZE - left, |
176 offset); | |
177 | |
178 if (n == NGX_ERROR) { | |
7802
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
179 rc = NGX_HTTP_INTERNAL_SERVER_ERROR; |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
180 goto cleanup; |
503 | 181 } |
182 | |
183 if (n == 0) { | |
184 break; | |
185 } | |
186 | |
187 for (i = left; i < left + n; i++) { | |
188 switch (state) { | |
189 | |
190 case sw_login: | |
2524
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
191 if (login == 0) { |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
192 |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
193 if (buf[i] == '#' || buf[i] == CR) { |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
194 state = sw_skip; |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
195 break; |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
196 } |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
197 |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
198 if (buf[i] == LF) { |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
199 break; |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
200 } |
503 | 201 } |
202 | |
539 | 203 if (buf[i] != r->headers_in.user.data[login]) { |
503 | 204 state = sw_skip; |
205 break; | |
206 } | |
207 | |
539 | 208 if (login == r->headers_in.user.len) { |
503 | 209 state = sw_passwd; |
210 passwd = i + 1; | |
211 } | |
212 | |
213 login++; | |
214 | |
215 break; | |
216 | |
217 case sw_passwd: | |
218 if (buf[i] == LF || buf[i] == CR || buf[i] == ':') { | |
219 buf[i] = '\0'; | |
220 | |
221 pwd.len = i - passwd; | |
222 pwd.data = &buf[passwd]; | |
223 | |
7802
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
224 rc = ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
225 goto cleanup; |
503 | 226 } |
227 | |
228 break; | |
229 | |
230 case sw_skip: | |
231 if (buf[i] == LF) { | |
232 state = sw_login; | |
233 login = 0; | |
234 } | |
235 | |
236 break; | |
237 } | |
238 } | |
239 | |
240 if (state == sw_passwd) { | |
241 left = left + n - passwd; | |
3887
e7798b5e990a
use memmove() in appropriate places
Igor Sysoev <igor@sysoev.ru>
parents:
3516
diff
changeset
|
242 ngx_memmove(buf, &buf[passwd], left); |
503 | 243 passwd = 0; |
244 | |
245 } else { | |
246 left = 0; | |
247 } | |
248 | |
249 offset += n; | |
250 } | |
251 | |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
252 if (state == sw_passwd) { |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
253 pwd.len = i - passwd; |
2049 | 254 pwd.data = ngx_pnalloc(r->pool, pwd.len + 1); |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
255 if (pwd.data == NULL) { |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
256 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
257 } |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
258 |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
259 ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1); |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
260 |
7802
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
261 rc = ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
262 goto cleanup; |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
263 } |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
264 |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
265 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
7218
e48ac0136ee3
Auth basic: prevent null character in error log (ticket #1494).
Vadim Filimonov <fffilimonov@yandex.ru>
parents:
7109
diff
changeset
|
266 "user \"%V\" was not found in \"%s\"", |
e48ac0136ee3
Auth basic: prevent null character in error log (ticket #1494).
Vadim Filimonov <fffilimonov@yandex.ru>
parents:
7109
diff
changeset
|
267 &r->headers_in.user, user_file.data); |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
268 |
7802
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
269 rc = ngx_http_auth_basic_set_realm(r, &realm); |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
270 |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
271 cleanup: |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
272 |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
273 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
274 ngx_log_error(NGX_LOG_ALERT, r->connection->log, ngx_errno, |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
275 ngx_close_file_n " \"%s\" failed", user_file.data); |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
276 } |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
277 |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
278 ngx_explicit_memzero(buf, NGX_HTTP_AUTH_BUF_SIZE); |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
279 |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
280 return rc; |
503 | 281 } |
282 | |
283 | |
284 static ngx_int_t | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
285 ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, ngx_str_t *passwd, |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
286 ngx_str_t *realm) |
503 | 287 { |
288 ngx_int_t rc; | |
289 u_char *encrypted; | |
290 | |
291 rc = ngx_crypt(r->pool, r->headers_in.passwd.data, passwd->data, | |
292 &encrypted); | |
293 | |
294 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | |
6480 | 295 "rc: %i user: \"%V\" salt: \"%s\"", |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
296 rc, &r->headers_in.user, passwd->data); |
503 | 297 |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
298 if (rc != NGX_OK) { |
503 | 299 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
300 } | |
301 | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
302 if (ngx_strcmp(encrypted, passwd->data) == 0) { |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
303 return NGX_OK; |
503 | 304 } |
305 | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
306 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
307 "encrypted: \"%s\"", encrypted); |
503 | 308 |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
309 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
310 "user \"%V\": password mismatch", |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
311 &r->headers_in.user); |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
312 |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
313 return ngx_http_auth_basic_set_realm(r, realm); |
503 | 314 } |
315 | |
316 | |
317 static ngx_int_t | |
318 ngx_http_auth_basic_set_realm(ngx_http_request_t *r, ngx_str_t *realm) | |
319 { | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
320 size_t len; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
321 u_char *basic, *p; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
322 |
503 | 323 r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); |
324 if (r->headers_out.www_authenticate == NULL) { | |
325 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
326 } | |
327 | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
328 len = sizeof("Basic realm=\"\"") - 1 + realm->len; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
329 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
330 basic = ngx_pnalloc(r->pool, len); |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
331 if (basic == NULL) { |
6986
0cdee26605f3
Cleaned up r->headers_out.headers allocation error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
332 r->headers_out.www_authenticate->hash = 0; |
0cdee26605f3
Cleaned up r->headers_out.headers allocation error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
333 r->headers_out.www_authenticate = NULL; |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
334 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
335 } |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
336 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
337 p = ngx_cpymem(basic, "Basic realm=\"", sizeof("Basic realm=\"") - 1); |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
338 p = ngx_cpymem(p, realm->data, realm->len); |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
339 *p = '"'; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
340 |
509 | 341 r->headers_out.www_authenticate->hash = 1; |
8880
d26db4f82d7d
All known output headers can be linked lists now.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8453
diff
changeset
|
342 r->headers_out.www_authenticate->next = NULL; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
343 ngx_str_set(&r->headers_out.www_authenticate->key, "WWW-Authenticate"); |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
344 r->headers_out.www_authenticate->value.data = basic; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
345 r->headers_out.www_authenticate->value.len = len; |
503 | 346 |
347 return NGX_HTTP_UNAUTHORIZED; | |
348 } | |
349 | |
350 | |
351 static void * | |
352 ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) | |
353 { | |
354 ngx_http_auth_basic_loc_conf_t *conf; | |
355 | |
356 conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_basic_loc_conf_t)); | |
357 if (conf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2588
diff
changeset
|
358 return NULL; |
503 | 359 } |
360 | |
8452
bdd4d89370a7
Changed complex value slots to use NGX_CONF_UNSET_PTR.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7802
diff
changeset
|
361 conf->realm = NGX_CONF_UNSET_PTR; |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
362 conf->user_file = NGX_CONF_UNSET_PTR; |
8452
bdd4d89370a7
Changed complex value slots to use NGX_CONF_UNSET_PTR.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7802
diff
changeset
|
363 |
503 | 364 return conf; |
365 } | |
366 | |
367 | |
368 static char * | |
369 ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) | |
370 { | |
371 ngx_http_auth_basic_loc_conf_t *prev = parent; | |
372 ngx_http_auth_basic_loc_conf_t *conf = child; | |
373 | |
8452
bdd4d89370a7
Changed complex value slots to use NGX_CONF_UNSET_PTR.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7802
diff
changeset
|
374 ngx_conf_merge_ptr_value(conf->realm, prev->realm, NULL); |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
375 ngx_conf_merge_ptr_value(conf->user_file, prev->user_file, NULL); |
503 | 376 |
377 return NGX_CONF_OK; | |
378 } | |
379 | |
380 | |
381 static ngx_int_t | |
681 | 382 ngx_http_auth_basic_init(ngx_conf_t *cf) |
503 | 383 { |
384 ngx_http_handler_pt *h; | |
385 ngx_http_core_main_conf_t *cmcf; | |
386 | |
681 | 387 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); |
503 | 388 |
389 h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers); | |
390 if (h == NULL) { | |
391 return NGX_ERROR; | |
392 } | |
393 | |
394 *h = ngx_http_auth_basic_handler; | |
395 | |
396 return NGX_OK; | |
397 } | |
398 | |
399 | |
400 static char * | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
401 ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
402 { |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
403 ngx_http_auth_basic_loc_conf_t *alcf = conf; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
404 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
405 ngx_str_t *value; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
406 ngx_http_compile_complex_value_t ccv; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
407 |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
408 if (alcf->user_file != NGX_CONF_UNSET_PTR) { |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
409 return "is duplicate"; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
410 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
411 |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
412 alcf->user_file = ngx_palloc(cf->pool, sizeof(ngx_http_complex_value_t)); |
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
413 if (alcf->user_file == NULL) { |
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
414 return NGX_CONF_ERROR; |
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
415 } |
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
416 |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
417 value = cf->args->elts; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
418 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
419 ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
420 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
421 ccv.cf = cf; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
422 ccv.value = &value[1]; |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
423 ccv.complex_value = alcf->user_file; |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
424 ccv.zero = 1; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
425 ccv.conf_prefix = 1; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
426 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
427 if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
428 return NGX_CONF_ERROR; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
429 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
430 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
431 return NGX_CONF_OK; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
432 } |