From fc695dcbef7387dfb8e013ac491699e60eff7878 Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Fri, 16 Nov 2007 14:00:22 +0000 Subject: [PATCH] Sync --- org.gridsite.core/doc/mod_gridsite.8 | 16 ++++++++++++++++ org.gridsite.core/src/mod_gridsite.c | 22 +++++++++++++++++++--- 2 files changed, 35 insertions(+), 3 deletions(-) diff --git a/org.gridsite.core/doc/mod_gridsite.8 b/org.gridsite.core/doc/mod_gridsite.8 index be7e903..f6d0e29 100644 --- a/org.gridsite.core/doc/mod_gridsite.8 +++ b/org.gridsite.core/doc/mod_gridsite.8 @@ -72,6 +72,16 @@ per-directory. The current directory is tried and then parent directories in ascending order until a .gacl file is found. (Default: GridSiteAuth off) +.IP "GridSiteAutoPasscode on|off" +Whether to automatically issue passcodes in response to HTTPS +requests made using a full X.509 certificate (not a GSI proxy.) +(Default: GridSiteAutoPasscode on) + +.IP "GridSiteRequirePasscode on|off" +Whether to require passcode cookies when processing HTTPS +requests made using a full X.509 certificate (not a GSI proxy.) +(Default: GridSiteAutoPasscode off) + .IP "GridSiteAdminList uri" All members of the DN List with name "uri" receive the full set of permissions, irrespective of per-directory .gacl files. People in @@ -252,6 +262,12 @@ Numerical value of the permission bit-map obtained by comparing the user with the GACL in force. (These should be tested using the GRSTgaclPermHasXXXX functions from GACL.) +.IP GRST_PASSCODE_COOKIE +Value of GRIDHTTP_PASSCODE cookie that should be returned when using +a double-submit cookie procedure to guard against Cross Site Request +Forgery (CSRF) attacks. This is only set if a valid passcode file +was found in the server's sessions directory. + .IP GRST_ADMIN_LIST URI of the DN List, listing people with full admin and write access to the whole site. diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index e551943..ffb734b 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -130,6 +130,7 @@ typedef struct { int auth; int autopasscode; + int requirepasscode; int zoneslashes; int envs; int format; @@ -1625,6 +1626,7 @@ static void *create_gridsite_dir_config(apr_pool_t *p, char *path) { conf->auth = 0; /* GridSiteAuth on/off */ conf->autopasscode = 1; /* GridSiteAutoPasscode on/off */ + conf->requirepasscode = 0; /* GridSiteRequirePasscode on/off */ conf->zoneslashes = 1; /* GridSiteZoneSlashes number */ conf->envs = 1; /* GridSiteEnvs on/off */ conf->format = 0; /* GridSiteHtmlFormat on/off */ @@ -1671,6 +1673,7 @@ static void *create_gridsite_dir_config(apr_pool_t *p, char *path) { conf->auth = UNSET; /* GridSiteAuth on/off */ conf->autopasscode = UNSET; /* GridSiteAutoPasscode on/off */ + conf->requirepasscode = UNSET; /* GridSiteRequirePasscode on/off */ conf->zoneslashes = UNSET; /* GridSiteZoneSlashes number */ conf->envs = UNSET; /* GridSiteEnvs on/off */ conf->format = UNSET; /* GridSiteHtmlFormat on/off */ @@ -1719,6 +1722,9 @@ static void *merge_gridsite_dir_config(apr_pool_t *p, void *vserver, if (direct->autopasscode != UNSET) conf->autopasscode = direct->autopasscode; else conf->autopasscode = server->autopasscode; + if (direct->requirepasscode != UNSET) conf->requirepasscode = direct->requirepasscode; + else conf->requirepasscode = server->requirepasscode; + if (direct->zoneslashes != UNSET) conf->zoneslashes = direct->zoneslashes; else conf->zoneslashes = server->zoneslashes; @@ -2120,6 +2126,10 @@ static const char *mod_gridsite_flag_cmds(cmd_parms *a, void *cfg, { ((mod_gridsite_dir_cfg *) cfg)->autopasscode = flag; } + else if (strcasecmp(a->cmd->name, "GridSiteRequirePasscode") == 0) + { + ((mod_gridsite_dir_cfg *) cfg)->requirepasscode = flag; + } else if (strcasecmp(a->cmd->name, "GridSiteEnvs") == 0) { ((mod_gridsite_dir_cfg *) cfg)->envs = flag; @@ -2154,6 +2164,8 @@ static const command_rec mod_gridsite_cmds[] = NULL, OR_FILEINFO, "on or off"), AP_INIT_FLAG("GridSiteAutoPasscode", mod_gridsite_flag_cmds, NULL, OR_FILEINFO, "on or off"), + AP_INIT_FLAG("GridSiteRequirePasscode", mod_gridsite_flag_cmds, + NULL, OR_FILEINFO, "on or off"), AP_INIT_FLAG("GridSiteEnvs", mod_gridsite_flag_cmds, NULL, OR_FILEINFO, "on or off"), AP_INIT_FLAG("GridSiteHtmlFormat", mod_gridsite_flag_cmds, @@ -2847,8 +2859,10 @@ static int mod_gridsite_perm_handler(request_rec *r) /* if not succeeded from passcode file, try from connection notes if a GSI Proxy or have GridSiteAutoPasscode on (the default) - (if GridSiteAutoPasscode off then interactive websites must use - a login script to make passcode and file instead.) + or have GridSiteRequirePasscode off (the default). + If GridSiteAutoPasscode off and GridSiteRequirePasscode on + then interactive websites must use a login script to make passcode + and file instead. */ if ((user == NULL) && @@ -2862,7 +2876,9 @@ static int mod_gridsite_perm_handler(request_rec *r) "notbefore=%ld notafter=%ld delegation=%d nist-loa=%d", ¬before, ¬after, &delegation, &nist_loa) == 4) && (delegation <= ((mod_gridsite_dir_cfg *) cfg)->gsiproxylimit) && - ((delegation > 0) || ((mod_gridsite_dir_cfg *) cfg)->autopasscode)) + ((delegation > 0) || + ((mod_gridsite_dir_cfg *) cfg)->autopasscode || + !(((mod_gridsite_dir_cfg *) cfg)->requirepasscode))) { cred_0 = GRSTgaclCredCreate(grst_cred_auri_0, NULL); if (cred_0 != NULL) -- 1.8.2.3