Skip Menu |

This queue is for tickets about the Apache-AuthCookie CPAN distribution.

Report information
The Basics
Id: 73661
Status: resolved
Priority: 0/
Queue: Apache-AuthCookie

People
Owner: Nobody in particular
Requestors: adam.prime [...] utoronto.ca
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 3.18
Fixed in: 3.19



Subject: some parts of AuthCookie don't work if you have a user_id of 0
There's a bunch of code in both versions of AuthCookie that won't work if you, for some bizarre reason, have a user who's ID is 0 (zero). I've attached a git diff that (i think) should fix it, but i had to make a change to the Sample handler in the tests to get it to work. It was returning an empty string for non-logged in users, as opposed to returning nothing, or undef. The documentation doesn't explicitly say the the empty string should work as a non-valid return from authen_ses_key, but because the test was like that, i could understand some reluctance to apply this patch as is.
Subject: ac.patch
diff --git a/lib/Apache/AuthCookie.pm b/lib/Apache/AuthCookie.pm index ec7f10e..5aec195 100644 --- a/lib/Apache/AuthCookie.pm +++ b/lib/Apache/AuthCookie.pm @@ -17,7 +17,7 @@ sub recognize_user ($$) { my ($self, $r) = @_; # only check if user is not already set - return DECLINED if $r->connection->user; + return DECLINED if defined($r->connection->user); my $debug = $r->dir_config("AuthCookieDebug") || 0; my ($auth_type, $auth_name) = ($r->auth_type, $r->auth_name); @@ -33,7 +33,7 @@ sub recognize_user ($$) { return DECLINED unless $cookie; my ($user, @args) = $auth_type->authen_ses_key($r, $cookie); - if ($user and scalar @args == 0) { + if (defined($user) and scalar @args == 0) { $r->log_error("user is $user") if $debug >= 2; # if SessionTimeout is on, send new cookie with new Expires. @@ -272,7 +272,7 @@ sub authenticate ($$) { my ($auth_user, @args) = $auth_type->authen_ses_key($r, $ses_key_cookie); - if ($auth_user and scalar @args == 0) { + if (defined($auth_user) and scalar @args == 0) { # We have a valid session key, so we return with an OK value. # Tell the rest of Apache what the authentication method and @@ -375,7 +375,7 @@ sub authorize ($$) { my $reqs_arr = $r->requires or return DECLINED; my $user = $r->connection->user; - unless ($user) { + unless (defined($user)) { # user is either undef or =0 which means the authentication failed $r->log_reason("No user authenticated", $r->uri); diff --git a/lib/Apache2/AuthCookie.pm b/lib/Apache2/AuthCookie.pm index 4505a3f..714d810 100644 --- a/lib/Apache2/AuthCookie.pm +++ b/lib/Apache2/AuthCookie.pm @@ -25,7 +25,7 @@ sub recognize_user { my ($self, $r) = @_; # only check if user is not already set - return DECLINED if $r->user; + return DECLINED if defined($r->user); my $debug = $r->dir_config("AuthCookieDebug") || 0; @@ -46,7 +46,7 @@ sub recognize_user { my ($user,@args) = $auth_type->authen_ses_key($r, $cookie); - if ($user and scalar @args == 0) { + if (defined($user) and scalar @args == 0) { $r->server->log_error("user is $user") if $debug >= 2; # send cookie with update expires timestamp if session timeout is on @@ -273,7 +273,7 @@ sub authenticate { if ($ses_key_cookie) { my ($auth_user, @args) = $auth_type->authen_ses_key($r, $ses_key_cookie); - if ($auth_user and scalar @args == 0) { + if (defined($auth_user) and scalar @args == 0) { # We have a valid session key, so we return with an OK value. # Tell the rest of Apache what the authentication method and # user is. @@ -380,7 +380,7 @@ sub authorize { $r->server->log_error("authorize user=$user type=$auth_type") if $debug >=3; - unless ($user) { + unless (defined($user)) { # user is either undef or =0 which means the authentication failed $r->server->log_error("No user authenticated", $r->uri); return HTTP_FORBIDDEN; diff --git a/t/lib/Sample/Apache/AuthCookieHandler.pm b/t/lib/Sample/Apache/AuthCookieHandler.pm index f424397..d4e8574 100644 --- a/t/lib/Sample/Apache/AuthCookieHandler.pm +++ b/t/lib/Sample/Apache/AuthCookieHandler.pm @@ -33,7 +33,7 @@ sub authen_ses_key ($$$) { } elsif ($user eq "some-user") { $user; } else { - ""; + undef; } } diff --git a/t/lib/Sample/Apache2/AuthCookieHandler.pm b/t/lib/Sample/Apache2/AuthCookieHandler.pm index d397860..8dd238e 100644 --- a/t/lib/Sample/Apache2/AuthCookieHandler.pm +++ b/t/lib/Sample/Apache2/AuthCookieHandler.pm @@ -35,7 +35,7 @@ sub authen_ses_key ($$$) { } elsif ($user eq "some-user") { $user; } else { - ""; + undef; } }
This has been fixed in v3.19_01 (developer release) which I just uploaded to CPAN. Thanks!