Bug 1331022

Summary: Password not logged with Anonymous_LogEmail on
Product: Red Hat Enterprise Linux 7 Reporter: Martin Frodl <mfrodl>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED NOTABUG QA Contact: Martin Frodl <mfrodl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: isenfeld, jorton, mfrodl
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1331453 (view as bug list) Environment:
Last Closed: 2016-08-03 08:45:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Martin Frodl 2016-04-27 13:11:02 UTC 
Description of problem:

In mod_authn_anon, the Anonymous_LogEmail directive controls password logging for anonymous users. When enabled (by default), the password entered should be logged in the error log [0]. In reality, the password is never logged.

Version-Release number of selected component (if applicable):
httpd-2.4.6-40.el7.x86_64

Steps to Reproduce:
# mkdir /var/www/html/private
# cat > /etc/httpd/conf.d/httpd.conf <<EOF
<Directory "/var/www/html/private">
    AuthName "Use 'anonymous' & Email address for guest entry"
    AuthType Basic
    AuthBasicProvider file anon
    AuthUserFile "conf/passwd"

    Anonymous_NoUserID off
    Anonymous_MustGiveEmail on
    Anonymous_VerifyEmail on
    Anonymous_LogEmail on
    Anonymous anonymous guest www test welcome

    Require valid-user
</Directory>
EOF
# htpasswd -c -b /etc/httpd/conf/passwd myuser mypassword
# systemctl start httpd
# curl -v -u anonymous:anonymous http://localhost/private/

Actual results:
/var/log/httpd/error_log does not contain 'anonymous'

Expected results:
/var/log/httpd/error_log should contain 'anonymous'


[0] https://httpd.apache.org/docs/2.4/mod/mod_authn_anon.html#anonymous_logemail