[PATCH] User not consistently logged under Apache2

Bug #46005

Submitted:

2008-09-05 19:57 UTC

Modified:

2008-12-18 14:35 UTC

Votes:	11
Avg. Score:	4.5 ± 0.8
Reproduced:	11 of 11 (100.0%)
Same Version:	11 (100.0%)
Same OS:	7 (63.6%)

From:

admorten at umich dot edu

Assigned:

Status:

Closed

Package:

Apache2 related

PHP Version:

5.2.6

OS:

Linux 2.6.21.3

Private report:

CVE-ID:

None

[2008-09-05 19:57 UTC] admorten at umich dot edu

Description:
------------
The apache2 handler and filter strip the user (r->user) from the 
request if there's no Authorization header in the request. This breaks 
user logging for authorization filters like mod_auth_kerb, 
mod_authnz_ldap and mod_cosign, which do not use the Authorization 
header. The patches linked to below check to see r->user is set and 
ensures that the user remains attached to the request, which Apache2 
can then use to log the user properly.

This should fix the issues reported previously in bug #44631. The 
issue was partially fixed with the patch in bug #22672, but that patch 
continued to rely on Authorization headers, and was only applied to 
the apache2 handler.

Patches (apply to 5.2.6):
<http://rsug.itd.umich.edu/~admorten/sapi_apache2filter_user_logging_f
ix.patch>
<http://rsug.itd.umich.edu/~admorten/sapi_apache2handler_user_logging_
fix.patch>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-10-10 15:52 UTC] admorten at umich dot edu

I've updated both patches to use apr_pstrdup instead of estrdup when 
copying r->user into SG(request_info).auth_user, which is how the rest 
of the request info is copied. URLs are still the same.

[2008-11-05 10:16 UTC] k at kelvinlim dot com

I encountered this bug as well, as our Apache configuration uses a custom single sign-on authentication module.

admorten's patches successfully resolved the issue--but only after I switched back to the use of estrdup.  apr_pstrdup does *not* work; instead, it causes my Apache processes (prefork MPM) to segfault.

[2008-11-06 18:57 UTC] admorten at umich dot edu

Do you have a backtrace?

[2008-12-17 11:09 UTC] stas@php.net

It should definitely be estrdup, since SAPI.c uses efree to free it.

[2008-12-17 11:35 UTC] stas@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

applied to 5.3+, thanks

[2008-12-18 14:35 UTC] jani@php.net

And now also in PHP_5_2 branch. :)