* Must we use form authentication? If so, extract the cookie and run * the authnz hooks to determine if the login is valid. * * If the login is not valid, a 401 Not Authorized will be returned. It * is up to the webmaster to ensure this screen displays a suitable login * form to give the user the opportunity to log in. */
| 879 | * form to give the user the opportunity to log in. |
| 880 | */ |
| 881 | static int authenticate_form_authn(request_rec * r) |
| 882 | { |
| 883 | auth_form_config_rec *conf = ap_get_module_config(r->per_dir_config, |
| 884 | &auth_form_module); |
| 885 | const char *sent_user = NULL, *sent_pw = NULL, *sent_hash = NULL; |
| 886 | const char *sent_loc = NULL, *sent_method = "GET", *sent_mimetype = NULL; |
| 887 | const char *current_auth = NULL; |
| 888 | const char *err; |
| 889 | apr_status_t res; |
| 890 | int rv = HTTP_UNAUTHORIZED; |
| 891 | |
| 892 | /* Are we configured to be Form auth? */ |
| 893 | current_auth = ap_auth_type(r); |
| 894 | if (!current_auth || ap_cstr_casecmp(current_auth, "form")) { |
| 895 | return DECLINED; |
| 896 | } |
| 897 | |
| 898 | /* |
| 899 | * XSS security warning: using cookies to store private data only works |
| 900 | * when the administrator has full control over the source website. When |
| 901 | * in forward-proxy mode, websites are public by definition, and so can |
| 902 | * never be secure. Abort the auth attempt in this case. |
| 903 | */ |
| 904 | if (PROXYREQ_PROXY == r->proxyreq) { |
| 905 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01809) |
| 906 | "form auth cannot be used for proxy " |
| 907 | "requests due to XSS risk, access denied: %s", r->uri); |
| 908 | return HTTP_INTERNAL_SERVER_ERROR; |
| 909 | } |
| 910 | |
| 911 | /* We need an authentication realm. */ |
| 912 | if (!ap_auth_name(r)) { |
| 913 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01810) |
| 914 | "need AuthName: %s", r->uri); |
| 915 | return HTTP_INTERNAL_SERVER_ERROR; |
| 916 | } |
| 917 | |
| 918 | r->ap_auth_type = (char *) current_auth; |
| 919 | |
| 920 | /* try get the username and password from the notes, if present */ |
| 921 | get_notes_auth(r, &sent_user, &sent_pw, &sent_method, &sent_mimetype); |
| 922 | if (!sent_user || !sent_pw || !*sent_user || !*sent_pw) { |
| 923 | |
| 924 | /* otherwise try get the username and password from a session, if present */ |
| 925 | res = get_session_auth(r, &sent_user, &sent_pw, &sent_hash); |
| 926 | |
| 927 | } |
| 928 | else { |
| 929 | res = APR_SUCCESS; |
| 930 | } |
| 931 | |
| 932 | /* first test whether the site passphrase matches */ |
| 933 | if (APR_SUCCESS == res && sent_user && sent_hash && sent_pw) { |
| 934 | rv = check_site(r, conf->site, sent_user, sent_hash); |
| 935 | if (OK == rv) { |
| 936 | fake_basic_authentication(r, conf, sent_user, sent_pw); |
| 937 | return OK; |
| 938 | } |
nothing calls this directly
no test coverage detected