Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 22 Apr 2012 18:00:15 GMT
From:      Ryan Steinmetz <rpsfa@rit.edu>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/167209: [patch] www/lighttpd to allow use of remote-user in conditionals
Message-ID:  <201204221800.q3MI0FKX028696@red.freebsd.org>
Resent-Message-ID: <201204221800.q3MI0PRg048976@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         167209
>Category:       ports
>Synopsis:       [patch] www/lighttpd to allow use of remote-user in conditionals
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 22 18:00:24 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Ryan Steinmetz
>Release:        8.3-RELEASE
>Organization:
Rochester Institute of Technology
>Environment:
>Description:
This patch adds the ability to use syntax like the following:
$HTTP["url"] =~ "^/url" {
  $HTTP["remoteuser"] !~ "myuser" {
    url.access-deny = ( "" )
  }
}

This makes it possible to authorize specific client certificates whenever they are used.  Sample syntax could look like the following:

ssl.verifyclient.exportcert = "enable"
ssl.verifyclient.activate   = "enable"
ssl.verifyclient.username   = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.enforce    = "disable"
ssl.verifyclient.depth      = 3
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.exportcert = "enable"
$HTTP["url"] =~ "^/url" {
  $HTTP["remoteuser"] !~ "mycertCN" {
    url.access-deny = ( "" )
  }
}

This patch has been submitted upstream in Feature request #2415, however, the last release of lighttpd was over 1 year ago.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/www/lighttpd/Makefile,v
retrieving revision 1.107
diff -u -r1.107 Makefile
--- Makefile	19 Mar 2012 09:18:13 -0000	1.107
+++ Makefile	22 Apr 2012 17:53:40 -0000
@@ -59,7 +59,8 @@
 		OPENSSL		"Enable SSL support" on \
 		SPAWNFCGI	"Depend on spawn-fcgi utility" off \
 		VALGRIND	"Enable valgrind support" off \
-		WEBDAV		"Enable WebDAV support"	off
+		WEBDAV		"Enable WebDAV support"	off \
+		REMOTEUSER	"Enable remote-user in conditionals" off
 
 .if !defined(NOPORTDOCS)
 DOCS=		AUTHORS COPYING INSTALL NEWS README
@@ -186,6 +187,10 @@
 CONFIGURE_ARGS+=	--with-webdav-props --with-webdav-locks
 .endif
 
+.if defined(WITH_REMOTEUSER)
+EXTRA_PATCHES+=		${FILESDIR}/extra-patch-remoteuser
+.endif
+
 SUB_LIST+=		REQUIRE="${_REQUIRE}"
 
 post-patch:
Index: files/extra-patch-remoteuser
===================================================================
RCS file: files/extra-patch-remoteuser
diff -N files/extra-patch-remoteuser
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/extra-patch-remoteuser	22 Apr 2012 17:50:20 -0000
@@ -0,0 +1,64 @@
+diff -urN src/array.h src/array.h
+--- src/array.h	2010-02-01 18:28:20.000000000 -0500
++++ src/array.h	2012-04-22 13:25:16.000000000 -0400
+@@ -96,6 +96,7 @@
+ 	COMP_HTTP_QUERY_STRING,
+ 	COMP_HTTP_SCHEME,
+ 	COMP_HTTP_REQUEST_METHOD,
++	COMP_HTTP_REMOTE_USER,
+ 
+ 	COMP_LAST_ELEMENT
+ } comp_key_t;
+diff -urN src/configfile-glue.c src/configfile-glue.c
+--- src/configfile-glue.c	2010-08-17 05:04:38.000000000 -0400
++++ src/configfile-glue.c	2012-04-22 13:25:16.000000000 -0400
+@@ -455,6 +455,14 @@
+ 		}
+ 		break;
+ 	}
++	case COMP_HTTP_REMOTE_USER: {
++		if (NULL != con->authed_user) {
++			l = con->authed_user;
++		} else {
++			l = srv->empty_string;
++		}
++		break;
++	}
+ 	default:
+ 		return COND_RESULT_FALSE;
+ 	}
+diff -urN src/configparser.c src/configparser.c
+--- src/configparser.c	2011-12-18 09:54:21.000000000 -0500
++++ src/configparser.c	2012-04-22 13:25:16.000000000 -0400
+@@ -1221,6 +1221,8 @@
+       { COMP_HTTP_QUERY_STRING,  CONST_STR_LEN("HTTP[\"query-string\"]") },
+       { COMP_HTTP_REQUEST_METHOD, CONST_STR_LEN("HTTP[\"request-method\"]") },
+       { COMP_HTTP_SCHEME,        CONST_STR_LEN("HTTP[\"scheme\"]"     ) },
++      { COMP_HTTP_REMOTE_USER,   CONST_STR_LEN("HTTP[\"remoteuser\"]" ) },
++      { COMP_HTTP_REMOTE_USER,   CONST_STR_LEN("HTTP[\"remote-user\"]" ) },
+       { COMP_UNSET, NULL, 0 },
+     };
+     size_t i;
+diff -urN src/configparser.y src/configparser.y
+--- src/configparser.y	2010-02-01 18:28:20.000000000 -0500
++++ src/configparser.y	2012-04-22 13:25:16.000000000 -0400
+@@ -435,6 +435,8 @@
+       { COMP_HTTP_QUERY_STRING,  CONST_STR_LEN("HTTP[\"query-string\"]") },
+       { COMP_HTTP_REQUEST_METHOD, CONST_STR_LEN("HTTP[\"request-method\"]") },
+       { COMP_HTTP_SCHEME,        CONST_STR_LEN("HTTP[\"scheme\"]"     ) },
++      { COMP_HTTP_REMOTE_USER,   CONST_STR_LEN("HTTP[\"remoteuser\"]" ) },
++      { COMP_HTTP_REMOTE_USER,   CONST_STR_LEN("HTTP[\"remote-user\"]" ) },
+       { COMP_UNSET, NULL, 0 },
+     };
+     size_t i;
+diff -urN src/response.c src/response.c
+--- src/response.c	2010-08-17 05:04:38.000000000 -0400
++++ src/response.c	2012-04-22 13:25:30.000000000 -0400
+@@ -280,6 +280,7 @@
+ 		config_patch_connection(srv, con, COMP_HTTP_LANGUAGE);  /* Accept-Language:  */
+ 		config_patch_connection(srv, con, COMP_HTTP_COOKIE);    /* Cookie:  */
+ 		config_patch_connection(srv, con, COMP_HTTP_REQUEST_METHOD); /* REQUEST_METHOD */
++		config_patch_connection(srv, con, COMP_HTTP_REMOTE_USER); /* REMOTE_USER */
+ 
+ 		/** their might be a fragment which has to be cut away */
+ 		if (NULL != (qstr = strchr(con->request.uri->ptr, '#'))) {


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204221800.q3MI0FKX028696>