Bug 431684 - mod_python.publisher fails with non-Basic auth
Summary: mod_python.publisher fails with non-Basic auth
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: mod_python (Show other bugs)
(Show other bugs)
Version: 5.1
Hardware: All Linux
low
low
Target Milestone: rc
: ---
Assignee: Joe Orton
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-06 14:07 UTC by Enrico Scholz
Modified: 2018-11-14 14:05 UTC (History)
9 users (show)

Fixed In Version: mod_python-3.2.8-4.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-24 13:50:42 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to keep mod_python from blowing up with non-basic auth (1.83 KB, patch)
2008-11-19 20:57 UTC, Mike McLean
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:1113 normal SHIPPED_LIVE mod_python bug fix update 2012-07-24 17:50:05 UTC

Description Enrico Scholz 2008-02-06 14:07:45 UTC
Description of problem:

Using non-Basic auth makes mod_python.publisher always fail with a '400 Bad
Request' error code. E.g.

| SetHandler      mod_python
| PythonHandler   mod_python.publisher
| AuthType        Kerberos

will create headers like

| Authorization: Negotiate YIIE+gYJKoZIhvc...

publisher.py checks unconditionally (e.g. also when module does not make own
authentication but uses the default apache one) for base64 text at positions
[6:] in this header (which obviously works for 'Basic' auth  type only):

| def process_auth(req, object, realm="unknown", user=None, passwd=None):
|     ...
|     if not user and req.headers_in.has_key("Authorization"):
|         try:
|             s = req.headers_in["Authorization"][6:]
|             s = base64.decodestring(s)
|             user, passwd = s.split(":", 1)
|         except:
|             raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST


mod_python-3.3.1 from Fedora 8 is not affected as it executes this check only,
when called handler has an own __auth*__ mechanism.


Version-Release number of selected component (if applicable):

mod_python-3.2.8-3.1

Comment 1 Mike McLean 2008-11-19 20:53:55 UTC
This bug affects Koji's web interface if kerberos authentication is used. I currently have to work around this by patching my mod_python. Will attach the patch.

Comment 2 Mike McLean 2008-11-19 20:57:04 UTC
Created attachment 324094 [details]
patch to keep mod_python from blowing up with non-basic auth

Comment 4 Joe Orton 2008-11-25 12:41:10 UTC
Thanks, Mike.

Comment 5 RHEL Product and Program Management 2009-03-26 16:50:46 UTC
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".

Comment 15 Ken Dreyer 2011-03-04 20:09:57 UTC
The most relevant upstream bug for this is http://issues.apache.org/jira/browse/MODPYTHON-47

Comment 16 Ken Dreyer 2011-03-04 20:20:52 UTC
If this doesn't get into RHEL 5, see https://bugzilla.redhat.com/show_bug.cgi?id=682319 for a hacky workaround in Kojiweb.

Comment 32 errata-xmlrpc 2012-07-24 13:50:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1113.html


Note You need to log in before you can comment on or make changes to this bug.