Fix security patch. Some parts of it aren't needed and caused problems.

ok henning@
2007-02-11 10:31:20 +00:00 · 2007-02-11 10:31:20 +00:00 · 4ba6e124ed
commit 4ba6e124ed
parent 471db9c52d
2 changed files with 3 additions and 38 deletions
--- a/www/mod_auth_ldap/Makefile
+++ b/www/mod_auth_ldap/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.6 2007/01/22 15:04:31 bernd Exp $
+# $OpenBSD: Makefile,v 1.7 2007/02/11 10:31:20 bernd Exp $

 # This port currently only works with archs supporting dynamic loading
 # and has Apache that supports DSO's.
@ -8,7 +8,7 @@ COMMENT=	"Apache LDAP authentication module"

 VERSION=	1.6.0
 DISTNAME=	auth_ldap-${VERSION}
-PKGNAME=	mod_auth_ldap-${VERSION}p2
+PKGNAME=	mod_auth_ldap-${VERSION}p3
 CATEGORIES=	www

 HOMEPAGE=	http://www.rudedog.org/auth_ldap/
--- a/www/mod_auth_ldap/patches/patch-auth_ldap_c
+++ b/www/mod_auth_ldap/patches/patch-auth_ldap_c
@ -1,4 +1,4 @@
-$OpenBSD: patch-auth_ldap_c,v 1.1 2007/01/22 15:04:32 bernd Exp $
+$OpenBSD: patch-auth_ldap_c,v 1.2 2007/02/11 10:31:20 bernd Exp $

 Fixes a security bug that could allow attacker to execute arbitrary
 commands as the apache user.
@ -17,38 +17,3 @@ took the security fix.
 #endif
 }
 
-@@ -610,6 +610,7 @@ ldap_authenticate_basic_user(request_rec
- 			 "%d entries for search %s: URI %s", 
- 			 count, filtbuf, r->uri);
-     ldap_msgfree(res);
-+    ap_note_basic_auth_failure(r);
-     RELMUTEX(conf->mtx);
-     RELMUTEX(sec->ldc->mtx);
-     return sec->auth_authoritative? AUTH_REQUIRED: DECLINED;
-@@ -632,7 +633,7 @@ ldap_authenticate_basic_user(request_rec
-      able to authenticate with this module. I don't see this as a big
-      problem.
-   */
-  if (strlen(sent_pw) <= 0) {
-+  if ((sec->dn == NULL) || (strlen(sent_pw) <= 0)) {
-     auth_ldap_log_reason(r, "AuthLDAP: user %s provided an empty password: %s", 
- 			 r->connection->user, r->uri);
-     ap_note_basic_auth_failure(r);
-@@ -653,7 +654,6 @@ ldap_authenticate_basic_user(request_rec
-    */
-   ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, r,
- 		"{%d} LDAP OP: simple bind", (int)getpid());
-  sec->ldc->boundas = bind_user;
-   if ((result = 
-        ldap_simple_bind_s(sec->ldc->ldap, sec->dn, const_cast(sent_pw))) == 
-       LDAP_SERVER_DOWN) {
-@@ -671,6 +671,9 @@ ldap_authenticate_basic_user(request_rec
-     RELMUTEX(sec->ldc->mtx);
-     return AUTH_REQUIRED;
-   }
-+
-+  sec->ldc->bounddn = strdup(sec->dn);
-+  sec->ldc->boundas = bind_user;
- 
-   ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, r, 
- 		"{%d} authenticate: accepting", (int)getpid());