Ticket #321 (closed defect: invalid)

Opened 3 years ago

Last modified 6 months ago

mod_fastcgi authorizers cannot protect fastcgi responders

Reported by: cpisto@nmxs.com Assigned to: maherb
Priority: normal Milestone:
Component: mod_fastcgi Version: 1.4.5
Severity: critical Keywords: patch
Cc: Blocking:
Need Feedback: 0

Description

lighttpd will serve a fastcgi as a static file if an authorizer is setup to protect its parent location.

For example, if a fastcgi authorizer is setup to protect /test/ and a responder is setup at /test/test.fcgi, lighttpd will return the binary contents of test.fcgi (or a 404 if /test/test.fcgi is a remote responder).

This is because the mechanism to tell mod_fastcgi that it has already authorized a request never accounted for this need.

Attachments

fastcgi-authorizer-fixes.diff (6.6 kB) - added by maherb on 06/20/2006 12:02:00 PM.
All fastcgi mode=authorizer fixes (Variable- env works, proper re-dispatching, and assert failure fix when auth is running in front of cgi).

Change History

06/01/2006 04:15:53 AM changed by maherb

This seems like a pretty important detail, and if you are going to advertise the fact that you support a fastcgi authorizer, you should probably warn users about this defect .

06/20/2006 12:02:00 PM changed by maherb

  • attachment fastcgi-authorizer-fixes.diff added.

All fastcgi mode=authorizer fixes (Variable- env works, proper re-dispatching, and assert failure fix when auth is running in front of cgi).

10/22/2006 05:29:38 AM changed by maherb

  • keywords set to patch.
  • owner changed from jan to maherb.
  • status changed from new to assigned.

08/18/2007 09:51:32 AM changed by jan

  • status changed from assigned to closed.
  • resolution set to invalid.
  • blocking changed.
  • pending changed.

We are only following the FastCGI spec.

In 1.5.0 we added X-Rewrite which fixes this is a generic way.

02/01/2008 08:28:51 AM changed by anonymous

Where in the spec does it say that an authorizer can only protect static files? I just wasted an entire day writing an MySQL authorizer just to realize that LightTPD's implementation of the authorizer mode can only be used to protect static files and only if the mod_fastcgi matches URLs using file extensions. If URLs are matched using a path prefix, mod_fastcgi appends the prefix to the docroot and completely forgets about the rest of the URL. This so useless that I wonder why the authorizer support actually exists in mod_fastcgi. The attached patch looks sane to me, can't you apply it and get on with it? I don't really want to wait another year until 1.5 comes out, if at all.

Add/Change #321 (mod_fastcgi authorizers cannot protect fastcgi responders)




Change Properties
Action