Date: Sun, 22 Apr 2012 18:00:15 GMT From: Ryan Steinmetz <rpsfa@rit.edu> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/167209: [patch] www/lighttpd to allow use of remote-user in conditionals Message-ID: <201204221800.q3MI0FKX028696@red.freebsd.org> Resent-Message-ID: <201204221800.q3MI0PRg048976@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 167209
>Category: ports
>Synopsis: [patch] www/lighttpd to allow use of remote-user in conditionals
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sun Apr 22 18:00:24 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Ryan Steinmetz
>Release: 8.3-RELEASE
>Organization:
Rochester Institute of Technology
>Environment:
>Description:
This patch adds the ability to use syntax like the following:
$HTTP["url"] =~ "^/url" {
$HTTP["remoteuser"] !~ "myuser" {
url.access-deny = ( "" )
}
}
This makes it possible to authorize specific client certificates whenever they are used. Sample syntax could look like the following:
ssl.verifyclient.exportcert = "enable"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.enforce = "disable"
ssl.verifyclient.depth = 3
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.exportcert = "enable"
$HTTP["url"] =~ "^/url" {
$HTTP["remoteuser"] !~ "mycertCN" {
url.access-deny = ( "" )
}
}
This patch has been submitted upstream in Feature request #2415, however, the last release of lighttpd was over 1 year ago.
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/www/lighttpd/Makefile,v
retrieving revision 1.107
diff -u -r1.107 Makefile
--- Makefile 19 Mar 2012 09:18:13 -0000 1.107
+++ Makefile 22 Apr 2012 17:53:40 -0000
@@ -59,7 +59,8 @@
OPENSSL "Enable SSL support" on \
SPAWNFCGI "Depend on spawn-fcgi utility" off \
VALGRIND "Enable valgrind support" off \
- WEBDAV "Enable WebDAV support" off
+ WEBDAV "Enable WebDAV support" off \
+ REMOTEUSER "Enable remote-user in conditionals" off
.if !defined(NOPORTDOCS)
DOCS= AUTHORS COPYING INSTALL NEWS README
@@ -186,6 +187,10 @@
CONFIGURE_ARGS+= --with-webdav-props --with-webdav-locks
.endif
+.if defined(WITH_REMOTEUSER)
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-remoteuser
+.endif
+
SUB_LIST+= REQUIRE="${_REQUIRE}"
post-patch:
Index: files/extra-patch-remoteuser
===================================================================
RCS file: files/extra-patch-remoteuser
diff -N files/extra-patch-remoteuser
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/extra-patch-remoteuser 22 Apr 2012 17:50:20 -0000
@@ -0,0 +1,64 @@
+diff -urN src/array.h src/array.h
+--- src/array.h 2010-02-01 18:28:20.000000000 -0500
++++ src/array.h 2012-04-22 13:25:16.000000000 -0400
+@@ -96,6 +96,7 @@
+ COMP_HTTP_QUERY_STRING,
+ COMP_HTTP_SCHEME,
+ COMP_HTTP_REQUEST_METHOD,
++ COMP_HTTP_REMOTE_USER,
+
+ COMP_LAST_ELEMENT
+ } comp_key_t;
+diff -urN src/configfile-glue.c src/configfile-glue.c
+--- src/configfile-glue.c 2010-08-17 05:04:38.000000000 -0400
++++ src/configfile-glue.c 2012-04-22 13:25:16.000000000 -0400
+@@ -455,6 +455,14 @@
+ }
+ break;
+ }
++ case COMP_HTTP_REMOTE_USER: {
++ if (NULL != con->authed_user) {
++ l = con->authed_user;
++ } else {
++ l = srv->empty_string;
++ }
++ break;
++ }
+ default:
+ return COND_RESULT_FALSE;
+ }
+diff -urN src/configparser.c src/configparser.c
+--- src/configparser.c 2011-12-18 09:54:21.000000000 -0500
++++ src/configparser.c 2012-04-22 13:25:16.000000000 -0400
+@@ -1221,6 +1221,8 @@
+ { COMP_HTTP_QUERY_STRING, CONST_STR_LEN("HTTP[\"query-string\"]") },
+ { COMP_HTTP_REQUEST_METHOD, CONST_STR_LEN("HTTP[\"request-method\"]") },
+ { COMP_HTTP_SCHEME, CONST_STR_LEN("HTTP[\"scheme\"]" ) },
++ { COMP_HTTP_REMOTE_USER, CONST_STR_LEN("HTTP[\"remoteuser\"]" ) },
++ { COMP_HTTP_REMOTE_USER, CONST_STR_LEN("HTTP[\"remote-user\"]" ) },
+ { COMP_UNSET, NULL, 0 },
+ };
+ size_t i;
+diff -urN src/configparser.y src/configparser.y
+--- src/configparser.y 2010-02-01 18:28:20.000000000 -0500
++++ src/configparser.y 2012-04-22 13:25:16.000000000 -0400
+@@ -435,6 +435,8 @@
+ { COMP_HTTP_QUERY_STRING, CONST_STR_LEN("HTTP[\"query-string\"]") },
+ { COMP_HTTP_REQUEST_METHOD, CONST_STR_LEN("HTTP[\"request-method\"]") },
+ { COMP_HTTP_SCHEME, CONST_STR_LEN("HTTP[\"scheme\"]" ) },
++ { COMP_HTTP_REMOTE_USER, CONST_STR_LEN("HTTP[\"remoteuser\"]" ) },
++ { COMP_HTTP_REMOTE_USER, CONST_STR_LEN("HTTP[\"remote-user\"]" ) },
+ { COMP_UNSET, NULL, 0 },
+ };
+ size_t i;
+diff -urN src/response.c src/response.c
+--- src/response.c 2010-08-17 05:04:38.000000000 -0400
++++ src/response.c 2012-04-22 13:25:30.000000000 -0400
+@@ -280,6 +280,7 @@
+ config_patch_connection(srv, con, COMP_HTTP_LANGUAGE); /* Accept-Language: */
+ config_patch_connection(srv, con, COMP_HTTP_COOKIE); /* Cookie: */
+ config_patch_connection(srv, con, COMP_HTTP_REQUEST_METHOD); /* REQUEST_METHOD */
++ config_patch_connection(srv, con, COMP_HTTP_REMOTE_USER); /* REMOTE_USER */
+
+ /** their might be a fragment which has to be cut away */
+ if (NULL != (qstr = strchr(con->request.uri->ptr, '#'))) {
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204221800.q3MI0FKX028696>