Bug 57204 - LuaAuthzProvider mixes up parsed require arguments when used multiple times
Summary: LuaAuthzProvider mixes up parsed require arguments when used multiple times
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_lua (show other bugs)
Version: 2.4.10
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Blocks:
 
Reported: 2014-11-12 14:52 UTC by Eric Covener
Modified: 2015-01-23 08:49 UTC (History)
0 users



Attachments
Allow multiple LuaAuthzProvider directives with the same provider name but different args (3.26 KB, patch)
2014-11-19 21:26 UTC, Edward Lu
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Covener 2014-11-12 14:52:50 UTC
as reported in comments section of the manual anonymously, it looks like the lua-specific hash used to store the parameters gets mixed up if you define 1 provider but use it with multiple require arguments.


original:

http://httpd.apache.org/docs/trunk/mod/mod_lua.html#comment_3245
Comment 1 Gregory A Lundberg 2014-11-14 03:47:05 UTC
Reactivated ancient apache bugzilla account to record as originator of comment on modlua documentation page.
Comment 2 Edward Lu 2014-11-19 21:26:52 UTC
Created attachment 32219 [details]
Allow multiple LuaAuthzProvider directives with the same provider name but different args
Comment 3 Edward Lu 2014-11-19 21:29:10 UTC
Forgot to attach comment to patch.

Above patch should fix the issue. The operative part is that it separates the provider from the arguments that are passed to it.

As a sidenote, the typenames lua_authz_provider_spec and lua_authz_provider_func should probably be switched. I skipped that in the interest of a smaller diff, but whoever reviews/commits should probably look at naming those better.
Comment 4 Eric Covener 2014-11-20 00:18:31 UTC
Thanks, waiting to see if a CVE should be assigned.
Comment 5 Eric Covener 2014-12-29 20:30:17 UTC
CVE-2014-8109, waiting for next 2.4.x release
Comment 6 Yann Ylavic 2015-01-23 08:49:44 UTC
Backported to 2.4.11 in r1642861.