simo pushed to mod_auth_gssapi (f22). "Fix saving delegated credentials for SPNs"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Mar 26 20:53:36 UTC 2015
>From b536c544c0870052086dd66215175f433617782d Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo at redhat.com>
Date: Thu, 26 Mar 2015 16:37:45 -0400
Subject: Fix saving delegated credentials for SPNs
diff --git a/0001-Escape-principal-name-to-remove-the-path-separator.patch b/0001-Escape-principal-name-to-remove-the-path-separator.patch
new file mode 100644
index 0000000..b33e1cc
--- /dev/null
+++ b/0001-Escape-principal-name-to-remove-the-path-separator.patch
@@ -0,0 +1,90 @@
+From 286e3dac69c3d4b32db93de1f9937f434383588f Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo at redhat.com>
+Date: Thu, 26 Mar 2015 16:30:56 -0400
+Subject: [PATCH] Escape principal name to remove the path separator
+
+The principla name is used as a file name, any embedded path separators
+are going to cause trouble if used in the file name, so we need to escape
+them away. Usee ~ as the escape chracter (~~ to escape ~ itself)
+
+Fixes #14
+---
+ src/mod_auth_gssapi.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 53 insertions(+), 1 deletion(-)
+
+diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
+index 4f21123a4caa56d748307055be73099cc9a63dc0..c7881bf9e149bb190ad73741250d94541abfd0e8 100644
+--- a/src/mod_auth_gssapi.c
++++ b/src/mod_auth_gssapi.c
+@@ -119,6 +119,48 @@ static bool mag_conn_is_https(conn_rec *c)
+ return false;
+ }
+
++static char *escape(apr_pool_t *pool, const char *name,
++ char find, const char *replace)
++{
++ char *escaped = NULL;
++ char *namecopy;
++ char *n;
++ char *p;
++
++ namecopy = apr_pstrdup(pool, name);
++ if (!namecopy) goto done;
++
++ p = strchr(namecopy, find);
++ if (!p) return namecopy;
++
++ /* first segment */
++ n = namecopy;
++ while (p) {
++ /* terminate previous segment */
++ *p = '\0';
++ if (escaped) {
++ escaped = apr_pstrcat(pool, escaped, n, replace, NULL);
++ } else {
++ escaped = apr_pstrcat(pool, n, replace, NULL);
++ }
++ if (!escaped) goto done;
++ /* move to next segment */
++ n = p + 1;
++ p = strchr(n, find);
++ }
++ /* append last segment if any */
++ if (*n) {
++ escaped = apr_pstrcat(pool, escaped, n, NULL);
++ }
++
++done:
++ if (!escaped) {
++ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
++ "OOM escaping name");
++ }
++ return escaped;
++}
++
+ static void mag_store_deleg_creds(request_rec *req,
+ char *dir, char *clientname,
+ gss_cred_id_t delegated_cred,
+@@ -128,8 +170,18 @@ static void mag_store_deleg_creds(request_rec *req,
+ gss_key_value_set_desc store;
+ char *value;
+ uint32_t maj, min;
++ char *escaped;
+
+- value = apr_psprintf(req->pool, "FILE:%s/%s", dir, clientname);
++ /* We need to escape away '/', we can't have path separators in
++ * a ccache file name */
++ /* first double escape the esacping char (~) if any */
++ escaped = escape(req->pool, clientname, '~', "~~");
++ if (!escaped) return;
++ /* then escape away the separator (/) if any */
++ escaped = escape(req->pool, escaped, '/', "~");
++ if (!escaped) return;
++
++ value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped);
+ if (!value) {
+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
+ "OOM storing delegated credentials");
+--
+2.1.0
+
diff --git a/mod_auth_gssapi.spec b/mod_auth_gssapi.spec
index e92fea6..4766d23 100644
--- a/mod_auth_gssapi.spec
+++ b/mod_auth_gssapi.spec
@@ -1,6 +1,6 @@
Name: mod_auth_gssapi
Version: 1.1.0
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: A GSSAPI Authentication module for Apache
Group: System Environment/Daemons
@@ -12,13 +12,15 @@ BuildRequires: httpd-devel, krb5-devel, openssl-devel, autoconf, automake, libt
Requires: httpd-mmn = %{_httpd_mmn}
Requires: krb5-libs >= 1.11.5
+Patch01: 0001-Escape-principal-name-to-remove-the-path-separator.patch
+
%description
The mod_auth_gssapi module is an authentication service that implements the
SPNEGO based HTTP Authentication protocol defined in RFC4559.
%prep
%setup -q
-
+%patch01 -p1
%build
export APXS=%{_httpd_apxs}
@@ -44,6 +46,9 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
%{_httpd_moddir}/mod_auth_gssapi.so
%changelog
+* Thu Mar 26 2015 Simo Sorce <simo at redhat.com> 1.1.0-2
+- Fix saving delegated credentials for SPNs
+
* Thu Mar 12 2015 Simo Sorce <simo at redhat.com> 1.1.0-1
- New minor release 1.1.0
- New feature: Basic Auth support
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/mod_auth_gssapi.git/commit/?h=f22&id=b536c544c0870052086dd66215175f433617782d
More information about the scm-commits
mailing list