php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46005 [PATCH] User not consistently logged under Apache2
Submitted: 2008-09-05 19:57 UTC Modified: 2008-12-18 14:35 UTC
Votes:11
Avg. Score:4.5 ± 0.8
Reproduced:11 of 11 (100.0%)
Same Version:11 (100.0%)
Same OS:7 (63.6%)
From: admorten at umich dot edu Assigned:
Status: Closed Package: Apache2 related
PHP Version: 5.2.6 OS: Linux 2.6.21.3
Private report: No CVE-ID:
 [2008-09-05 19:57 UTC] admorten at umich dot edu
Description:
------------
The apache2 handler and filter strip the user (r->user) from the 
request if there's no Authorization header in the request. This breaks 
user logging for authorization filters like mod_auth_kerb, 
mod_authnz_ldap and mod_cosign, which do not use the Authorization 
header. The patches linked to below check to see r->user is set and 
ensures that the user remains attached to the request, which Apache2 
can then use to log the user properly.

This should fix the issues reported previously in bug #44631. The 
issue was partially fixed with the patch in bug #22672, but that patch 
continued to rely on Authorization headers, and was only applied to 
the apache2 handler.

Patches (apply to 5.2.6):
<http://rsug.itd.umich.edu/~admorten/sapi_apache2filter_user_logging_f
ix.patch>
<http://rsug.itd.umich.edu/~admorten/sapi_apache2handler_user_logging_
fix.patch>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-09-05 20:01 UTC] admorten at umich dot edu
Patch URLs got mangled. Shortened patch names:

<http://rsug.itd.umich.edu/~admorten/apache2filter_user_logging.patch>
<http://rsug.itd.umich.edu/~admorten/apache2handler_user_logging.patch>
 [2008-10-10 15:52 UTC] admorten at umich dot edu
I've updated both patches to use apr_pstrdup instead of estrdup when 
copying r->user into SG(request_info).auth_user, which is how the rest 
of the request info is copied. URLs are still the same.
 [2008-11-05 10:16 UTC] k at kelvinlim dot com
I encountered this bug as well, as our Apache configuration uses a custom single sign-on authentication module.

admorten's patches successfully resolved the issue--but only after I switched back to the use of estrdup.  apr_pstrdup does *not* work; instead, it causes my Apache processes (prefork MPM) to segfault.
 [2008-11-06 18:57 UTC] admorten at umich dot edu
Do you have a backtrace?
 [2008-12-17 11:09 UTC] stas@php.net
It should definitely be estrdup, since SAPI.c uses efree to free it.
 [2008-12-17 11:35 UTC] stas@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

applied to 5.3+, thanks
 [2008-12-18 14:35 UTC] jani@php.net
And now also in PHP_5_2 branch. :)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 09:02:23 2014 UTC