# ChangeLog for www-apache/mod_auth_pgsql
-# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_pgsql/ChangeLog,v 1.12 2014/12/28 16:59:35 titanofold Exp $
+# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_pgsql/ChangeLog,v 1.13 2015/05/09 07:43:14 pacho Exp $
+
+*mod_auth_pgsql-2.0.3-r2 (09 May 2015)
+
+ 09 May 2015; Pacho Ramos <pacho@gentoo.org>
+ +files/mod_auth_pgsql-2.0.3-apache-2.4.patch,
+ +files/mod_auth_pgsql-2.0.3-documentation.patch,
+ +files/mod_auth_pgsql-2.0.3-encoding.patch,
+ +files/mod_auth_pgsql-2.0.3-fixdoublefree.patch,
+ +mod_auth_pgsql-2.0.3-r2.ebuild:
+ Apply some Debian patches also adding apache 2.4 support (#532798)
28 Dec 2014; Aaron W. Swenson <titanofold@gentoo.org>
mod_auth_pgsql-2.0.3-r1.ebuild:
Hash: SHA256
AUX 80_mod_auth_pgsql.conf 331 SHA256 abbdc5bc506d3bcced0f5594563fca4d75d3649af34d1f46169d5f13b7290956 SHA512 e4fc23b450f9bd15e5bff93a50d782adfd7e27d3e9d2fc4fdbda4dfd6e4a2e3c9adcf1dcdfc746e2636c9fd8e536b06e81904c1ccca35569a7e4c41f5cbfe5bd WHIRLPOOL 9c5f8f4c8b14938401da3a4acc0ab2c7dfb7c017c640f3d7459d5e52e74d178673908d44172482f31937507cb1ed5bfd162857713ab9054e3aea040a9a48e70d
+AUX mod_auth_pgsql-2.0.3-apache-2.4.patch 10381 SHA256 92aec3c6343656683ba4ec7309665be035757bc7f7ceb05a9568b42a9c864d58 SHA512 051825f6ffd3fa83b1579e78b991048d057d888331351abb291211e0af4b0e65878e6ccbc61173dc86818daa75e77ae4a9cecf6c2be1715d7dc5d270b755203f WHIRLPOOL 700b4ddb62f8d70adb8612ee87ed29e20d93f3c4b071aabe5e447bccd39eaa4cea2822fc905415bc8ba932d839520da8aaf6f3028a224312e6bfbf392d0f6354
+AUX mod_auth_pgsql-2.0.3-documentation.patch 6200 SHA256 2c32c7beeb5c23d965a98171f0619c93d9c6189f81ac093df3a36659f91df426 SHA512 d7159488eae05dd229c450b433db6e1449ee37d5deb43842f822182e38c471af7828716c23320c6d4c6c2d9e3ab96353d1d0bd1a236b641a5a02c00bcd06107e WHIRLPOOL ed9fa0bad304f4483d2e51747fd853dce073517f4b7f8bb2701a343373a6277877b69f6f44dd0a45b7ee384c4237a4f1c631cd8a3c1cb827139208a5f1f81ce8
+AUX mod_auth_pgsql-2.0.3-encoding.patch 9389 SHA256 660f2ea757b9599faaba10ec1ceebdefc57d4e9bdfbbf3bbd6cc52e31cc82c7f SHA512 303a130877aa3f89a462be477af6011aa0c354c73d1d5fcfc711570e24be318154ef437825c17935e883a0ab9965c332cc82e8a4983fa6a87879014133ed510f WHIRLPOOL 98b39df4c5994feaad8515edf3716870ce26ea50e4854f25e967132aeaac5ee949b2139c21ad1556716fe3af355df142df4953d6dbb3357b6e2e4057df6eea17
+AUX mod_auth_pgsql-2.0.3-fixdoublefree.patch 2355 SHA256 40cabf9d0ca7cee4b324dc70d99f072eaea336358e51d8402470bb86fdf7c6c4 SHA512 a76ff149eb5be83ff586ff129749cc594d3ed0a00c295f59c39afad75c561a89f6f1d6c716fb6355cc50887a09296e15c2fb271fbb494e35658a03a429fc54df WHIRLPOOL f73d149be815d956a738c053c23fec923ba995585fb04fc041e202687ef85099e9f638e2586088d7e3b1e1581da141c39a5bb2110559d21d6cc017c6edf06f61
DIST mod_auth_pgsql-2.0.3.tar.gz 15474 SHA256 51651609d742e21bbc587fd4951b41a39deda53262cbf931b9b40bdda3b5cb92 SHA512 9ec9d9c1075d37e62e98f0f5519147d9fb2042ef7e149ff50461f3966d548afceefc330f4a1c3bd8fc64b5e93ed3e85508571a5b1b9832974c84267737e89cb0 WHIRLPOOL dea354fb9b3a06f668b8b039339b5972e295abd7357d6c5a61f6192a5c3bbcad1227f86a3d9b552e4b564476b8da9ded5f7b175d77f4cba0c3e360567aef13b2
EBUILD mod_auth_pgsql-2.0.3-r1.ebuild 974 SHA256 a97b05d3add688c8ff573d77b8c9826598f636fea95fcecc46cde6dbe058ff22 SHA512 d75e04fd90ca049085370c0eb1ee2b5033fb600ab22fa3b48f605f10c436820e9f8ad6abfd29a6fbccb149359f56d69bfd3acca5c7f957b1d405d7d50aeb5759 WHIRLPOOL 003ec7b05bf97a0717ab16f56fde194844b34cdd6ff179114bfd9cb205f40d0e038abd58f7b73518c1665e29c8fb0bb89b461b9c74a430e37b0767a5df7acfb6
-MISC ChangeLog 6479 SHA256 bfaf9727d135df68c485974f76fa533210df72344fd4fa9cc19e4dae49a4a03f SHA512 013eb2faed13a1f7522e5536a7a2cc98df51dc76a1fa922f42684b3e9f3e86ad245aa0a68b3a2bbff7b48379abd8f680df6d43c6c2abda12b722bb76678bedaf WHIRLPOOL 1d8bfb73e70d89184dffbadc1dc7ea4b6c7441ce2984f6166f2bc22ea588606b443d9c168daccd8606f7673ff2f7ca6f9487726e4d635e55a595b411ab2af403
+EBUILD mod_auth_pgsql-2.0.3-r2.ebuild 1205 SHA256 4fd5febd5d608ef370b93d46adbd918e8bb78193ffe2df29c01e1366e99bc02d SHA512 0c420f1c43b79ba6b2c5621bf57c9897ee48c2895331379331a58811e8dbe862a5bca7be0722709e600d4190315b411df6046c054c59100b77c4a45a73ef114c WHIRLPOOL 3d4b417a3b54389e04be31e2b32517ced4ee9cc7ad9687313fabc86c3997a7d14ab40a1ef74486c679770919d036796040734bdaae042f8ff2a47940e6dac21b
+MISC ChangeLog 6861 SHA256 f72555d3ebcfe2aca72e74f0415d00455113faa92b5744ffc95c6eeac5d7f22d SHA512 f20a79b4b13d9c188e870317952678a754a6b634d4ccf1318802f69a665d6c3d4de88ae8f0ade7e57b673dc889e488a1cdf54b7ad7c6c28982dc38b1383d689c WHIRLPOOL 2a2d6021ff423808acb9ead33db2ecb541b7acec6ae11b548c780c0e846934940eb60c2fccbcb903718d0b032234cca4b9ab77a2e1db70b8f75c7d577ffa0552
MISC metadata.xml 164 SHA256 7e8e8126bc8701c4a42c7dfed8bb755ac6040fe3d0e3f994d888f8b2b4fa7d8b SHA512 45b3f5ba6ebbeb2f990e5612b545bee41bb8c9f29e7f31de34021384760fcfc4694de0782fc0bdf556fe81ed3b334fc96c33563b0fddc2545484099a2cd76bb2 WHIRLPOOL 5fd1b0fc651f51ed3d1715cff87d86e7c0fe9c7825529069c7c3fed13641aee24bee1971b6e1057797b7b191ef0d50a1ea68c9f24588872d7d960787f9f02bfa
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-iF4EAREIAAYFAlSgNvgACgkQVxOqA9G7/aBkYAD7BjU9ms0cGcrwgHDx9v189HKv
-kDuoas3YxAs4ZEhRiQEA+wVbs+PAq73XD6ol6V3O3+3N+u22whoW03/4b+7nDj6m
-=ES21
+iEYEAREIAAYFAlVNupMACgkQCaWpQKGI+9TaoACfV2uDfxKe4z3eAKGknbvHbp9X
+4noAn2RZJZOCGha1c6qOWafccs5cHbgd
+=RkMt
-----END PGP SIGNATURE-----
--- /dev/null
+From: Marco Nenciarini <mnencia@debian.org>
+Date: Sat, 20 Jul 2013 18:47:04 +0200
+Subject: apache 2.4
+
+---
+ mod_auth_pgsql.c | 196 ++++++++++++-------------------------------------------
+ 1 file changed, 41 insertions(+), 155 deletions(-)
+
+diff --git a/mod_auth_pgsql.c b/mod_auth_pgsql.c
+index 639537d..26d7f90 100644
+--- a/mod_auth_pgsql.c
++++ b/mod_auth_pgsql.c
+@@ -109,6 +109,8 @@
+ #include "http_request.h"
+ #include "util_script.h"
+
++#include "mod_auth.h"
++
+ #ifdef WIN32
+ #define crypt apr_password_validate
+ #else
+@@ -191,7 +193,7 @@ module AP_MODULE_DECLARE_DATA auth_pgsql_module;
+
+
+ static int pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec,
+- char *user, char *sent_pw);
++ const char *user, const char *sent_pw);
+ static char *do_pg_query(request_rec * r, char *query,
+ pg_auth_config_rec * sec);
+
+@@ -442,9 +444,8 @@ static char pg_errstr[MAX_STRING_LEN];
+ * failures separately
+ */
+
+-static char *auth_pg_md5(char *pw)
++static char *auth_pg_md5(const char *pw)
+ {
+- apr_md5_ctx_t ctx;
+ unsigned char digest[APR_MD5_DIGESTSIZE];
+ static unsigned char md5hash[APR_MD5_DIGESTSIZE * 2 + 1];
+ int i;
+@@ -459,14 +460,15 @@ static char *auth_pg_md5(char *pw)
+ }
+
+
+-static char *auth_pg_base64(char *pw)
++static char *auth_pg_base64(const char *pw)
+ {
+ if (auth_pgsql_pool_base64 == NULL)
+ apr_pool_create_ex(&auth_pgsql_pool_base64, NULL, NULL, NULL);
+ if (auth_pgsql_pool == NULL)
+ return NULL;
+
+- return ap_pbase64encode(auth_pgsql_pool, pw);
++ /* NOTE: ap_pbase64encode is no change arg2. so removable const. */
++ return ap_pbase64encode(auth_pgsql_pool, (char *)pw);
+ }
+
+
+@@ -557,7 +559,8 @@ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec)
+
+ if (!check || strcmp(sec->auth_pg_charset, check)) {
+ apr_snprintf(pg_errstr, MAX_STRING_LEN,
+- "mod_auth_pgsql database character set encoding %s");
++ "mod_auth_pgsql database character set encoding %s",
++ check);
+ PQfinish(pg_conn);
+ return NULL;
+ }
+@@ -614,7 +617,7 @@ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec)
+ return result;
+ }
+
+-char *get_pg_pw(request_rec * r, char *user, pg_auth_config_rec * sec)
++char *get_pg_pw(request_rec * r, const char *user, pg_auth_config_rec * sec)
+ {
+ char query[MAX_STRING_LEN];
+ char *safe_user;
+@@ -755,19 +758,20 @@ static char *get_pg_grp(request_rec * r, char *group, char *user,
+ }
+
+ /* Process authentication request from Apache*/
+-static int pg_authenticate_basic_user(request_rec * r)
++static authn_status check_password(request_rec *r, const char *user,
++ const char *password)
+ {
++
+ pg_auth_config_rec *sec =
+ (pg_auth_config_rec *) ap_get_module_config(r->per_dir_config,
+ &auth_pgsql_module);
+- char *val = NULL;
+- char *sent_pw, *real_pw;
+- int res;
+- char *user;
++ const char *val = NULL;
++ const char *sent_pw;
++ const char *real_pw;
++ authn_status auth_res;
++
++ sent_pw = password;
+
+- if ((res = ap_get_basic_auth_pw(r, (const char **) &sent_pw)))
+- return res;
+- user = r->user;
+
+ #ifdef DEBUG_AUTH_PGSQL
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+@@ -784,7 +788,7 @@ static int pg_authenticate_basic_user(request_rec * r)
+ if ((!sec->auth_pg_pwd_table) && (!sec->auth_pg_pwd_field)) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+ "[mod_auth_pgsql.c] - missing configuration parameters");
+- return DECLINED;
++ return AUTH_GENERAL_ERROR;
+ }
+ pg_errstr[0] = '\0';
+
+@@ -809,22 +813,16 @@ static int pg_authenticate_basic_user(request_rec * r)
+
+ if (!real_pw) {
+ if (pg_errstr[0]) {
+- res = HTTP_INTERNAL_SERVER_ERROR;
++ auth_res = AUTH_GENERAL_ERROR;
+ } else {
+- if (sec->auth_pg_authoritative) {
+ /* force error and access denied */
+ apr_snprintf(pg_errstr, MAX_STRING_LEN,
+ "mod_auth_pgsql: Password for user %s not found (PG-Authoritative)",
+ user);
+- ap_note_basic_auth_failure(r);
+- res = HTTP_UNAUTHORIZED;
+- } else {
+- /* allow fall through to another module */
+- return DECLINED;
+- }
++ auth_res = AUTH_USER_NOT_FOUND;
+ }
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
+- return res;
++ return auth_res;
+ }
+
+ /* allow no password, if the flag is set and the password
+@@ -836,7 +834,7 @@ static int pg_authenticate_basic_user(request_rec * r)
+ user);
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
+ pg_log_auth_user(r, sec, user, sent_pw);
+- return OK;
++ return AUTH_GRANTED;
+ };
+
+ /* if the flag is off however, keep that kind of stuff at
+@@ -847,8 +845,7 @@ static int pg_authenticate_basic_user(request_rec * r)
+ "[mod_auth_pgsql.c] - Empty password rejected for user \"%s\"",
+ user);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
+- ap_note_basic_auth_failure(r);
+- return HTTP_UNAUTHORIZED;
++ return AUTH_DENIED;
+ };
+
+ if (sec->auth_pg_encrypted)
+@@ -877,8 +874,7 @@ static int pg_authenticate_basic_user(request_rec * r)
+ apr_snprintf(pg_errstr, MAX_STRING_LEN,
+ "PG user %s: password mismatch", user);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
+- ap_note_basic_auth_failure(r);
+- return HTTP_UNAUTHORIZED;
++ return AUTH_DENIED;
+ }
+
+ /* store password in the cache */
+@@ -891,130 +887,13 @@ static int pg_authenticate_basic_user(request_rec * r)
+ }
+
+ pg_log_auth_user(r, sec, user, sent_pw);
+- return OK;
+-}
+-
+-/* Checking ID */
+-
+-static int pg_check_auth(request_rec * r)
+-{
+- pg_auth_config_rec *sec =
+- (pg_auth_config_rec *) ap_get_module_config(r->per_dir_config,
+- &auth_pgsql_module);
+- char *user = r->user;
+- int m = r->method_number;
+- int group_result = DECLINED;
+-
+-
+-
+- apr_array_header_t *reqs_arr = (apr_array_header_t *) ap_requires(r);
+- require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
+-
+- register int x, res;
+- const char *t;
+- char *w;
+-
+- pg_errstr[0] = '\0';
+-
+-#ifdef DEBUG_AUTH_PGSQL
+- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+- "[mod_auth_pgsql.c] - pg_check_auth - going to check auth for user \"%s\" ",
+- user);
+-#endif /* DEBUG_AUTH_PGSQL */
+-
+-
+- if (!pg_conn) {
+- if (!(pg_conn = pg_connect(sec))) {
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database");
+- ap_note_basic_auth_failure(r);
+- return HTTP_UNAUTHORIZED;
+- }
+- }
+-
+- /* if we cannot do it; leave it to some other guy
+- */
+- if ((!sec->auth_pg_grp_table) && (!sec->auth_pg_grp_group_field)
+- && (!sec->auth_pg_grp_user_field))
+- return DECLINED;
+-
+- if (!reqs_arr) {
+- if (sec->auth_pg_authoritative) {
+- /* force error and access denied */
+- apr_snprintf(pg_errstr, MAX_STRING_LEN,
+- "mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)",
+- user);
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
+- ap_note_basic_auth_failure(r);
+- res = HTTP_UNAUTHORIZED;
+- } else {
+- return DECLINED;
+- }
+- }
+-
+- for (x = 0; x < reqs_arr->nelts; x++) {
+-
+- if (!(reqs[x].method_mask & (1 << m)))
+- continue;
+-
+- t = reqs[x].requirement;
+- w = ap_getword(r->pool, &t, ' ');
+-
+- if (!strcmp(w, "valid-user"))
+- return OK;
+-
+- if (!strcmp(w, "user")) {
+- while (t[0]) {
+- w = ap_getword_conf(r->pool, &t);
+- if (!strcmp(user, w))
+- return OK;
+- }
+- if (sec->auth_pg_authoritative) {
+- /* force error and access denied */
+- apr_snprintf(pg_errstr, MAX_STRING_LEN,
+- "mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)",
+- user);
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
+- ap_note_basic_auth_failure(r);
+- return HTTP_UNAUTHORIZED;
+- }
+-
+- } else if (!strcmp(w, "group")) {
+- /* look up the membership for each of the groups in the table */
+- pg_errstr[0] = '\0';
+-
+- while (t[0]) {
+- if (get_pg_grp(r, ap_getword(r->pool, &t, ' '), user, sec)) {
+- group_result = OK;
+- };
+- };
+-
+- if (pg_errstr[0]) {
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
+- return HTTP_INTERNAL_SERVER_ERROR;
+- }
+-
+- if (group_result == OK)
+- return OK;
+-
+- if (sec->auth_pg_authoritative) {
+- apr_snprintf(pg_errstr, MAX_STRING_LEN,
+- "[mod_auth_pgsql.c] - user %s not in right groups (PG-Authoritative)",
+- user);
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
+- ap_note_basic_auth_failure(r);
+- return HTTP_UNAUTHORIZED;
+- };
+- }
+- }
+-
+- return DECLINED;
++ return AUTH_GRANTED;
+ }
+
+-
+ /* Send the authentication to the log table */
+ int
+-pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user,
+- char *sent_pw)
++pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, const char *user,
++ const char *sent_pw)
+ {
+ char sql[MAX_STRING_LEN];
+ char *s;
+@@ -1087,7 +966,7 @@ pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user,
+ sec->auth_pg_log_addrs_field);
+ strncat(fields, sql, MAX_STRING_LEN - strlen(fields) - 1);
+ apr_snprintf(sql, MAX_STRING_LEN, ", '%s'",
+- r->connection->remote_ip);
++ r->connection->client_ip);
+ strncat(values, sql, MAX_STRING_LEN - strlen(values) - 1);
+ }
+ if (sec->auth_pg_log_pwd_field) { /* Password field , clear WARNING */
+@@ -1140,15 +1019,22 @@ static void *pg_auth_server_config(apr_pool_t * p, server_rec * s)
+ }
+
+
++static const authn_provider authn_pgsql_provider =
++{
++ &check_password,
++ NULL,
++};
++
+ static void register_hooks(apr_pool_t * p)
+ {
+ ap_hook_post_config(pg_auth_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
+- ap_hook_auth_checker(pg_check_auth, NULL, NULL, APR_HOOK_MIDDLE);
+- ap_hook_check_user_id(pg_authenticate_basic_user, NULL, NULL,
+- APR_HOOK_MIDDLE);
++
++ ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "pgsql",
++ AUTHN_PROVIDER_VERSION,
++ &authn_pgsql_provider, AP_AUTH_INTERNAL_PER_CONF);
+ };
+
+-module AP_MODULE_DECLARE_DATA auth_pgsql_module = {
++AP_DECLARE_MODULE(auth_pgsql) = {
+ STANDARD20_MODULE_STUFF,
+ create_pg_auth_dir_config, /* dir config creater */
+ NULL, /* dir merger --- default is to override */
--- /dev/null
+From: Marco Nenciarini <mnencia@debian.org>
+Date: Sat, 10 Aug 2013 16:26:41 +0200
+Subject: documentation
+
+---
+ mod_auth_pgsql.html | 47 ++++++++++++++++++++++++++++-------------------
+ 1 file changed, 28 insertions(+), 19 deletions(-)
+
+diff --git a/mod_auth_pgsql.html b/mod_auth_pgsql.html
+index 3269fe0..d35768b 100644
+--- a/mod_auth_pgsql.html
++++ b/mod_auth_pgsql.html
+@@ -48,18 +48,19 @@ Notes</a> |<a href="#Changelog"> Changelog</a> </p>
+ <li><a href="#host">Auth_PG_host</a> </li>
+ <li><a href="#port">Auth_PG_port</a> </li>
+ <li><a href="#options">Auth_PG_options</a> </li>
+- <li><a href="#pwd_table">Auth_PG_database</a> </li>
+- <li><a href="#PGuser">Auth_PG_user</a> </li>
+- <li><a href="PGpwd">Auth_PG_pwd</a> </li>
+- <li><a href="#grp_table">Auth_PG_pwd_table</a> </li>
+- <li><a href="#uid_field">Auth_PG_grp_table</a> </li>
++ <li><a href="#database">Auth_PG_database</a> </li>
++ <li><a href="#user">Auth_PG_user</a> </li>
++ <li><a href="#pwd">Auth_PG_pwd</a> </li>
++ <li><a href="#pwd_table">Auth_PG_pwd_table</a> </li>
++ <li><a href="#grp_table">Auth_PG_grp_table</a> </li>
+ <li><a href="#uid_field">Auth_PG_uid_field</a> </li>
+ <li><a href="#pwd_field">Auth_PG_pwd_field</a> </li>
+- <li><a href="#gid_field">Auth_PG_gid_field</a> </li>
++ <li><a href="#grp_group_field">Auth_PG_grp_group_field</a> </li>
++ <li><a href="#grp_user_field">Auth_PG_grp_user_field</a> </li>
+ <li><a href="#nopasswd">Auth_PG_nopasswd</a> </li>
+ <li><a href="#authoritative">Auth_PG_authoritative</a> </li>
+- <li><a href="#lowercaseuid">Auth_PG_lowercase_uid</a> </li>
+- <li><a href="#uppercaseuid">Auth_PG_uppercase_uid</a></li>
++ <li><a href="#lowercase_uid">Auth_PG_lowercase_uid</a> </li>
++ <li><a href="#uppercase_uid">Auth_PG_uppercase_uid</a></li>
+ <li><a href="#pwd_ignore_case">Auth_PG_pwd_ignore_case</a><br>
+ </li>
+ <li><a href="#encrypted">Auth_PG_encrypted</a> </li>
+@@ -112,7 +113,7 @@ available options. </p>
+ information.<br>
+ <br>
+ </p>
+-<h2><a name="PGuser"></a> Auth_PG_user<br>
++<h2><a name="user"></a> Auth_PG_user<br>
+ </h2>
+ <b>Syntax:</b> Auth_PG_user <i>username</i><br>
+ <b>Context:</b> directory, .htaccess <br>
+@@ -125,7 +126,7 @@ access on all the log tables (if used).<br>
+ Needed if the user who make the quey is differrent from the
+ user runnig apache, or if the posmater is on a different server and you
+ must autheticate with password<br>
+-<h2><a name="PGpwd"></a> Auth_PG_pwd</h2>
++<h2><a name="pwd"></a> Auth_PG_pwd</h2>
+ <p><b>Syntax:</b> Auth_PG_pwd <i>password</i><br>
+ <b>Context:</b> directory, .htaccess <br>
+ <b>Override:</b> AuthConfig <br>
+@@ -169,17 +170,25 @@ in the Auth_PG_pwd_table relation. </p>
+ <b>Override:</b> AuthConfig <br>
+ <b>Status:</b> Extension
+ <p>Specifies the attribute name of the field containing the encrypted
+-(see Auth_PG_encrypted) password in the Auth_PGpwd_table relation.<br>
++(see Auth_PG_encrypted) password in the Auth_PG_pwd_table relation.<br>
+ Please remember to use field of type varchar, not char for the password.<br>
+ </p>
+-<h2><a name="gid_field"></a> Auth_PG_gid_field</h2>
+-<b>Syntax:</b> Auth_PG_gid_field <i>attribute name</i><br>
++<h2><a name="grp_group_field"></a> Auth_PG_grp_group_field</h2>
++<b>Syntax:</b> Auth_PG_grp_group_field <i>attribute name</i><br>
+ <b>Context:</b> directory, .htaccess <br>
+ <b>Override:</b> AuthConfig <br>
+ <b>Status:</b> Extension
+ <p>Specifies the attribute name of the field containing the group name
+ in the Auth_PG_grp_table relation. This directive is only necessary if
+ you want to authenticate by user groups. </p>
++<h2><a name="grp_user_field"></a> Auth_PG_grp_user_field</h2>
++<b>Syntax:</b> Auth_PG_grp_user_field <i>attribute name</i><br>
++<b>Context:</b> directory, .htaccess <br>
++<b>Override:</b> AuthConfig <br>
++<b>Status:</b> Extension
++<p>Specifies the attribute name of the field containing the user name
++in the Auth_PG_grp_table relation. This directive is only necessary if
++you want to authenticate by user groups. </p>
+ <h2><a name="nopasswd"></a> Auth_PG_nopasswd</h2>
+ <b>Syntax:</b> Auth_PG_nopasswd <i>on</i> or <i>off</i><br>
+ <b>Context:</b> directory, .htaccess <br>
+@@ -202,7 +211,7 @@ the PostgreSQL scheme, the parent directory scheme will be given
+ the chance to try and authenticate the user. Exercise caution
+ when turning this option off. It can be a security risk. Can be
+ used to use two authentication schemes for the same dir. </p>
+-<h2><a name="lowercaseuid"></a> Auth_PG_lowercase_uid</h2>
++<h2><a name="lowercase_uid"></a> Auth_PG_lowercase_uid</h2>
+ <b>Syntax:</b> Auth_PG_lowercase_uid <i>on</i> or <i>off</i><br>
+ <b>Context:</b> directory, .htaccess <br>
+ <b>Override:</b> AuthConfig <br>
+@@ -211,7 +220,7 @@ used to use two authentication schemes for the same dir. </p>
+ user UIDs to lowercase before looking them up. When turned on this does
+ not affect the case of the original user ID should this module decline
+ to authenticate and a lower level is called.</p>
+-<h2><a name="uppercaseuid"></a> Auth_PG_uppercase_uid</h2>
++<h2><a name="uppercase_uid"></a> Auth_PG_uppercase_uid</h2>
+ <b>Syntax:</b> Auth_PG_uppercase_uid <i>on</i> or <i>off</i><br>
+ <b>Context:</b> directory, .htaccess <br>
+ <b>Override:</b> AuthConfig <br>
+@@ -277,14 +286,14 @@ initial space .</em></p>
+ <p>This option allows you to exercise greater control over the SQL code
+ used to retrieve the group name and corresponding user from the
+ database. You can use this to search for the group name
+-using more attributes in the table than the gid_field. </p>
++using more attributes in the table than the grp_group_field. </p>
+ <p>The basic SQL statement used to retrieve a group name and user name
+ for checking looks like this: </p>
+ <ul>
+-select <i><uid_field></i> from <i><grp_table></i> where <i>
+-<gid_field></i> ='<i><required group></i> '
++select <i><grp_user_field></i> from <i><grp_table></i> where <i>
++<grp_group_field></i> ='<i><required group></i> '
+ </ul>
+-The gid_whereclause will be added to the end of this statement
++The grp_whereclause will be added to the end of this statement
+ and must fit logically. <em>The where clause must be double
+ quoted.<br>
+ <br>
--- /dev/null
+From: Marco Nenciarini <mnencia@debian.org>
+Date: Sat, 10 Aug 2013 16:26:41 +0200
+Subject: encoding
+
+---
+ mod_auth_pgsql.c | 144 +++++++++++++++++++++++++++++++---------------------
+ mod_auth_pgsql.html | 9 ++++
+ 2 files changed, 94 insertions(+), 59 deletions(-)
+
+diff --git a/mod_auth_pgsql.c b/mod_auth_pgsql.c
+index f13c166..639537d 100644
+--- a/mod_auth_pgsql.c
++++ b/mod_auth_pgsql.c
+@@ -151,6 +151,7 @@ typedef struct {
+ const char *auth_pg_port;
+ const char *auth_pg_options;
+ const char *auth_pg_user;
++ const char *auth_pg_charset;
+ const char *auth_pg_pwd;
+ const char *auth_pg_pwd_table;
+ const char *auth_pg_uname_field;
+@@ -181,6 +182,8 @@ typedef struct {
+
+ } pg_auth_config_rec;
+
++static PGconn *pg_conn;
++
+ static apr_pool_t *auth_pgsql_pool = NULL;
+ static apr_pool_t *auth_pgsql_pool_base64 = NULL;
+
+@@ -220,6 +223,7 @@ static void *create_pg_auth_dir_config(apr_pool_t * p, char *d)
+ new_rec->auth_pg_port = NULL;
+ new_rec->auth_pg_options = NULL;
+ new_rec->auth_pg_user = NULL;
++ new_rec->auth_pg_charset = NULL;
+ new_rec->auth_pg_pwd = NULL;
+ new_rec->auth_pg_pwd_table = NULL;
+ new_rec->auth_pg_uname_field = NULL;
+@@ -324,6 +328,10 @@ static const command_rec pg_auth_cmds[] = {
+ (void *) APR_OFFSETOF(pg_auth_config_rec, auth_pg_user),
+ OR_AUTHCFG,
+ "user name connect as"),
++ AP_INIT_TAKE1("Auth_PG_charset", ap_set_string_slot,
++ (void *) APR_OFFSETOF(pg_auth_config_rec, auth_pg_charset),
++ OR_AUTHCFG,
++ "charset to use for connection"),
+ AP_INIT_TAKE1("Auth_PG_pwd", ap_set_string_slot,
+ (void *) APR_OFFSETOF(pg_auth_config_rec, auth_pg_pwd),
+ OR_AUTHCFG,
+@@ -462,53 +470,51 @@ static char *auth_pg_base64(char *pw)
+ }
+
+
++PGconn *pg_connect(pg_auth_config_rec *sec)
++{
++ PGconn *conn;
+
+-/* Got from POstgreSQL 7.2 */
+-/* ---------------
+- * Escaping arbitrary strings to get valid SQL strings/identifiers.
+- *
+- * Replaces "\\" with "\\\\" and "'" with "''".
+- * length is the length of the buffer pointed to by
+- * from. The buffer at to must be at least 2*length + 1 characters
+- * long. A terminating NUL character is written.
+- * ---------------
+- */
++ conn = PQsetdbLogin(sec->auth_pg_host, sec->auth_pg_port,
++ sec->auth_pg_options, NULL, sec->auth_pg_database,
++ sec->auth_pg_user, sec->auth_pg_pwd);
++ if (PQstatus(conn) != CONNECTION_OK) {
++ PQreset(conn);
++ apr_snprintf(pg_errstr, MAX_STRING_LEN,
++ "mod_auth_pgsql database connection error resetting %s",
++ PQerrorMessage(conn));
++ if (PQstatus(conn) != CONNECTION_OK) {
++ apr_snprintf(pg_errstr, MAX_STRING_LEN,
++ "mod_auth_pgsql database connection error reset failed %s",
++ PQerrorMessage(conn));
++ PQfinish(conn);
++ return NULL;
++ }
++ }
++ return conn;
++}
+
+-static size_t pg_check_string(char *to, const char *from, size_t length)
+-{
+- const char *source = from;
+- char *target = to;
+- unsigned int remaining = length;
+-
+- while (remaining > 0) {
+- switch (*source) {
+- case '\\':
+- *target = '\\';
+- target++;
+- *target = '\\';
+- /* target and remaining are updated below. */
+- break;
+
+- case '\'':
+- *target = '\'';
+- target++;
+- *target = '\'';
+- /* target and remaining are updated below. */
+- break;
++static size_t pg_check_string(char *to, const char *from, size_t length, request_rec * r, pg_auth_config_rec *sec)
++{
++ int error;
+
+- default:
+- *target = *source;
+- /* target and remaining are updated below. */
++ if (!pg_conn) {
++ if (!(pg_conn = pg_connect(sec))) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database");
++ ap_note_basic_auth_failure(r);
++ return -1;
+ }
+- source++;
+- target++;
+- remaining--;
+ }
+
+- /* Write the terminating NUL character. */
+- *target = '\0';
++ PQescapeStringConn(pg_conn, to, from, length, &error);
++
++ if (error) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot escape string");
++ ap_note_basic_auth_failure(r);
++ return -1;
++ }
+
+- return target - to;
++ return 0;
+ }
+
+
+@@ -518,7 +524,6 @@ static size_t pg_check_string(char *to, const char *from, size_t length)
+ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec)
+ {
+ PGresult *pg_result;
+- PGconn *pg_conn;
+ char *val;
+ char *result = NULL;
+
+@@ -530,19 +535,10 @@ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec)
+ sec->auth_pg_database);
+ #endif /* DEBUG_AUTH_PGSQL */
+
+- pg_conn = PQsetdbLogin(sec->auth_pg_host, sec->auth_pg_port,
+- sec->auth_pg_options, NULL, sec->auth_pg_database,
+- sec->auth_pg_user, sec->auth_pg_pwd);
+- if (PQstatus(pg_conn) != CONNECTION_OK) {
+- PQreset(pg_conn);
+- apr_snprintf(pg_errstr, MAX_STRING_LEN,
+- "mod_auth_pgsql database connection error resetting %s",
+- PQerrorMessage(pg_conn));
+- if (PQstatus(pg_conn) != CONNECTION_OK) {
+- apr_snprintf(pg_errstr, MAX_STRING_LEN,
+- "mod_auth_pgsql database connection error reset failed %s",
+- PQerrorMessage(pg_conn));
+- PQfinish(pg_conn);
++ if (!pg_conn) {
++ if (!(pg_conn = pg_connect(sec))) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database");
++ ap_note_basic_auth_failure(r);
+ return NULL;
+ }
+ }
+@@ -552,6 +548,21 @@ char *do_pg_query(request_rec * r, char *query, pg_auth_config_rec * sec)
+ query);
+ #endif /* DEBUG_AUTH_PGSQL */
+
++ if (sec->auth_pg_charset) {
++ const char *check;
++
++ PQsetClientEncoding(pg_conn, sec->auth_pg_charset);
++
++ check = pg_encoding_to_char(PQclientEncoding(pg_conn));
++
++ if (!check || strcmp(sec->auth_pg_charset, check)) {
++ apr_snprintf(pg_errstr, MAX_STRING_LEN,
++ "mod_auth_pgsql database character set encoding %s");
++ PQfinish(pg_conn);
++ return NULL;
++ }
++ }
++
+ pg_result = PQexec(pg_conn, query);
+
+ if (pg_result == NULL) {
+@@ -610,7 +621,7 @@ char *get_pg_pw(request_rec * r, char *user, pg_auth_config_rec * sec)
+ int n;
+
+ safe_user = apr_palloc(r->pool, 1 + 2 * strlen(user));
+- pg_check_string(safe_user, user, strlen(user));
++ pg_check_string(safe_user, user, strlen(user), r, sec);
+
+ #ifdef DEBUG_AUTH_PGSQL
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+@@ -685,8 +696,8 @@ static char *get_pg_grp(request_rec * r, char *group, char *user,
+ #endif /* DEBUG_AUTH_PGSQL */
+
+ query[0] = '\0';
+- pg_check_string(safe_user, user, strlen(user));
+- pg_check_string(safe_group, group, strlen(group));
++ pg_check_string(safe_user, user, strlen(user), r, sec);
++ pg_check_string(safe_group, group, strlen(group), r, sec);
+
+ if ((!sec->auth_pg_grp_table) ||
+ (!sec->auth_pg_grp_group_field) || (!sec->auth_pg_grp_user_field))
+@@ -777,6 +788,14 @@ static int pg_authenticate_basic_user(request_rec * r)
+ }
+ pg_errstr[0] = '\0';
+
++ if (!pg_conn) {
++ if (!(pg_conn = pg_connect(sec))) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database");
++ ap_note_basic_auth_failure(r);
++ return HTTP_UNAUTHORIZED;
++ }
++ }
++
+ if (sec->auth_pg_cache_passwords
+ && (!apr_is_empty_table(sec->cache_pass_table))) {
+ val = (char *) apr_table_get(sec->cache_pass_table, user);
+@@ -904,6 +923,13 @@ static int pg_check_auth(request_rec * r)
+ #endif /* DEBUG_AUTH_PGSQL */
+
+
++ if (!pg_conn) {
++ if (!(pg_conn = pg_connect(sec))) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - cannot connect to database");
++ ap_note_basic_auth_failure(r);
++ return HTTP_UNAUTHORIZED;
++ }
++ }
+
+ /* if we cannot do it; leave it to some other guy
+ */
+@@ -1015,9 +1041,9 @@ pg_log_auth_user(request_rec * r, pg_auth_config_rec * sec, char *user,
+ }
+
+ /* AUD: MAX_STRING_LEN probably isn't always correct */
+- pg_check_string(safe_user, user, strlen(user));
+- pg_check_string(safe_pw, sent_pw, strlen(sent_pw));
+- pg_check_string(safe_req, r->the_request, strlen(r->the_request));
++ pg_check_string(safe_user, user, strlen(user), r, sec);
++ pg_check_string(safe_pw, sent_pw, strlen(sent_pw), r, sec);
++ pg_check_string(safe_req, r->the_request, strlen(r->the_request), r, sec);
+
+
+ if (sec->auth_pg_lowercaseuid) {
+diff --git a/mod_auth_pgsql.html b/mod_auth_pgsql.html
+index d35768b..5474314 100644
+--- a/mod_auth_pgsql.html
++++ b/mod_auth_pgsql.html
+@@ -48,6 +48,7 @@ Notes</a> |<a href="#Changelog"> Changelog</a> </p>
+ <li><a href="#host">Auth_PG_host</a> </li>
+ <li><a href="#port">Auth_PG_port</a> </li>
+ <li><a href="#options">Auth_PG_options</a> </li>
++ <li><a href="#charset">Auth_PG_charset</a> </li>
+ <li><a href="#database">Auth_PG_database</a> </li>
+ <li><a href="#user">Auth_PG_user</a> </li>
+ <li><a href="#pwd">Auth_PG_pwd</a> </li>
+@@ -104,6 +105,14 @@ be found. </p>
+ <p>Specifies an option string to be passed to the postgreSQL backend
+ process. Refer to the PostgreSQL user manual for a description of the
+ available options. </p>
++<h2><a name="charset"></a> Auth_PG_charset</h2>
++<b>Syntax:</b> Auth_PG_options <i>option string</i><br>
++<b>Context:</b> directory, .htaccess <br>
++<b>Override:</b> AuthConfig <br>
++<b>Status:</b> Extension
++<p>Specifies the name of an encoding to be set for the PostgreSQL
++backend process. Refer to the PostgreSQL user manual for a description
++of the available options. </p>
+ <h2><a name="database"></a> Auth_PG_database</h2>
+ <b>Syntax:</b> Auth_PG_database <i>database name</i><br>
+ <b>Context:</b> directory, .htaccess <br>
--- /dev/null
+Description: Avoid double free of connection pointers
+ .
+ libapache2-mod-auth-pgsql (2.0.3-6.1) unstable; urgency=medium
+ .
+ * Non-maintainer upload.
+ * Apply patch from Launchpad to set freed pointers to NULL before
+ subsequent checks against NULL. (Closes: #774313)
+Author: Neil Williams <codehelp@debian.org>
+Bug-Debian: https://bugs.debian.org/774313
+Origin: ubuntu, https://launchpadlibrarian.net/177475074/doublefree.patch
+
+---
+
+--- libapache2-mod-auth-pgsql-2.0.3.orig/mod_auth_pgsql.c
++++ libapache2-mod-auth-pgsql-2.0.3/mod_auth_pgsql.c
+@@ -489,6 +489,7 @@ PGconn *pg_connect(pg_auth_config_rec *s
+ "mod_auth_pgsql database connection error reset failed %s",
+ PQerrorMessage(conn));
+ PQfinish(conn);
++ conn = NULL;
+ return NULL;
+ }
+ }
+@@ -562,6 +563,7 @@ char *do_pg_query(request_rec * r, char
+ "mod_auth_pgsql database character set encoding %s",
+ check);
+ PQfinish(pg_conn);
++ pg_conn = NULL;
+ return NULL;
+ }
+ }
+@@ -573,12 +575,15 @@ char *do_pg_query(request_rec * r, char
+ "PGSQL 2: %s -- Query: %s ",
+ PQerrorMessage(pg_conn), query);
+ PQfinish(pg_conn);
++ pg_conn = NULL;
+ return NULL;
+ }
+
+ if (PQresultStatus(pg_result) == PGRES_EMPTY_QUERY) {
+ PQclear(pg_result);
++ pg_result = NULL;
+ PQfinish(pg_conn);
++ pg_conn = NULL;
+ return NULL;
+ }
+
+@@ -586,7 +591,9 @@ char *do_pg_query(request_rec * r, char
+ apr_snprintf(pg_errstr, MAX_STRING_LEN, "PGSQL 3: %s -- Query: %s",
+ PQerrorMessage(pg_conn), query);
+ PQclear(pg_result);
++ pg_result = NULL;
+ PQfinish(pg_conn);
++ pg_conn = NULL;
+ return NULL;
+ }
+
+@@ -596,7 +603,9 @@ char *do_pg_query(request_rec * r, char
+ apr_snprintf(pg_errstr, MAX_STRING_LEN, "PGSQL 4: %s",
+ PQerrorMessage(pg_conn));
+ PQclear(pg_result);
++ pg_result = NULL;
+ PQfinish(pg_conn);
++ pg_conn = NULL;
+ return NULL;
+ }
+
+@@ -604,7 +613,9 @@ char *do_pg_query(request_rec * r, char
+ apr_snprintf(pg_errstr, MAX_STRING_LEN,
+ "Could not get memory for Postgres query.");
+ PQclear(pg_result);
++ pg_result = NULL;
+ PQfinish(pg_conn);
++ pg_conn = NULL;
+ return NULL;
+ }
+
+@@ -613,7 +624,9 @@ char *do_pg_query(request_rec * r, char
+
+ /* ignore errors here ! */
+ PQclear(pg_result);
++ pg_result = NULL;
+ PQfinish(pg_conn);
++ pg_conn = NULL;
+ return result;
+ }
+
--- /dev/null
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_pgsql/mod_auth_pgsql-2.0.3-r2.ebuild,v 1.1 2015/05/09 07:43:14 pacho Exp $
+
+EAPI=5
+inherit eutils apache-module multilib
+
+DESCRIPTION="This module allows user authentication against information stored in a PostgreSQL database"
+HOMEPAGE="http://www.giuseppetanzilli.it/mod_auth_pgsql2/"
+SRC_URI="http://www.giuseppetanzilli.it/mod_auth_pgsql2/dist/${P}.tar.gz"
+
+LICENSE="freedist"
+SLOT="2"
+KEYWORDS="~amd64 ~ppc ~sparc ~x86"
+IUSE=""
+
+DEPEND="dev-db/postgresql:*"
+RDEPEND="${DEPEND}"
+
+APXS2_ARGS="-a -c -I/usr/include/postgresql -L/usr/$(get_libdir)/postgresql -lpq mod_auth_pgsql.c"
+
+APACHE2_MOD_CONF="80_mod_auth_pgsql"
+APACHE2_MOD_DEFINE="AUTH_PGSQL"
+
+DOCFILES="INSTALL README mod_auth_pgsql.html"
+
+need_apache2_4
+
+src_prepare() {
+ # Debian patches
+ epatch "${FILESDIR}"/${P}-documentation.patch
+ epatch "${FILESDIR}"/${P}-encoding.patch
+ epatch "${FILESDIR}"/${P}-apache-2.4.patch
+ epatch "${FILESDIR}"/${P}-fixdoublefree.patch
+}
+
+src_install() {
+ apache-module_src_install
+ fperms 600 "${APACHE_MODULES_CONFDIR}"/${APACHE2_MOD_CONF}.conf
+}
projects / gentoo.git / commitdiff