summaryrefslogtreecommitdiff
path: root/www
diff options
context:
space:
mode:
authorMikhail Teterin <mi@FreeBSD.org>2002-01-09 21:57:30 +0000
committerMikhail Teterin <mi@FreeBSD.org>2002-01-09 21:57:30 +0000
commitc0ab352737779d291dfe6b0681f0aa9359c2a745 (patch)
tree6ebf4ee2ac322443c8e80dba453e88f11cc80d1f /www
parentUpdate to 1.8. (diff)
Add a new access control mechanism, which would allow access-control
without user's input -- based, for example, on a cookie, remote ip, referrer, or some such. Bump up PORTREVISION. Submitted by: Mark Abrams (http://video-collage.com/)
Diffstat (limited to 'www')
-rw-r--r--www/neowebscript/Makefile1
-rw-r--r--www/neowebscript/files/patch-access245
2 files changed, 246 insertions, 0 deletions
diff --git a/www/neowebscript/Makefile b/www/neowebscript/Makefile
index ec7daae75c64..6dbf3e45d358 100644
--- a/www/neowebscript/Makefile
+++ b/www/neowebscript/Makefile
@@ -7,6 +7,7 @@
PORTNAME= neowebscript
PORTVERSION= 3.3
+PORTREVISION= 1
CATEGORIES= www tcl83
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR=nws
diff --git a/www/neowebscript/files/patch-access b/www/neowebscript/files/patch-access
new file mode 100644
index 000000000000..bebb7ef521ea
--- /dev/null
+++ b/www/neowebscript/files/patch-access
@@ -0,0 +1,245 @@
+--- mod_auth_tcl.c Fri Nov 19 19:35:28 1999
++++ mod_auth_tcl.c Thu Jan 3 12:24:41 2002
+@@ -5,5 +5,5 @@
+ * You may freely redistribute most NeoSoft extensions to the Apache webserver
+ * for any purpose except commercial resale and/or use in secure servers,
+- * which requires, in either case, written permission from NeoSoft, Inc. Any
++ * which requires, in either case, written permission from NeoSoft, Inc. Any
+ * redistribution of this software must retain this copyright, unmodified
+ * from the original.
+@@ -12,5 +12,5 @@
+ * commerce, require a license for use and may not be redistributed
+ * without explicit written permission, obtained in advance of any
+- * such distribution from NeoSoft, Inc. These files are clearly marked
++ * such distribution from NeoSoft, Inc. These files are clearly marked
+ * with a different copyright.
+ *
+@@ -21,7 +21,7 @@
+ * said copyrights.
+ *
+- * Some of the software in this file may be derived from code
++ * Some of the software in this file may be derived from code
+ * Copyright (c) 1995 The Apache Group. All rights reserved.
+- *
++ *
+ * Redistribution and use of Apache code in source and binary forms is
+ * permitted under most conditions. Please consult the source code to
+@@ -46,8 +46,9 @@
+ /*
+ * auth_tcl: authentication via Tcl procs in main interpreter
+- *
++ *
+ * Rob McCool
+ * Randy Kunkee
+- *
++ * Mark Abrams (Video Collage, Inc.)
++ *
+ */
+
+@@ -58,10 +59,10 @@
+ * in your server, since this module depends on Tcl_Interp *interp to be
+ * exported by it.
+- *
++ *
+ * Based on authentication module originally written by Rob McCool and
+ * adapted to Shambhala by rst.
+ *
+ * Alterations from there to present form by Randy Kunkee of NeoSoft.
+- *
++ *
+ */
+
+@@ -79,4 +80,5 @@
+ char *tcl_basic_auth_command;
+ char *tcl_basic_access_command;
++ char *tcl_access_command;
+ } tcl_auth_config_rec;
+
+@@ -87,4 +89,5 @@
+ sec->tcl_basic_auth_command = NULL;
+ sec->tcl_basic_access_command = NULL;
++ sec->tcl_access_command = NULL;
+ return sec;
+ }
+@@ -105,4 +108,6 @@
+ { "TclAuthAccess", tcl_set_string_slot,
+ (void*)XtOffsetOf(tcl_auth_config_rec,tcl_basic_access_command), OR_AUTHCFG, RAW_ARGS, NULL },
++{ "TclAccess", tcl_set_string_slot,
++ (void*)XtOffsetOf(tcl_auth_config_rec,tcl_access_command), OR_AUTHCFG, RAW_ARGS, NULL },
+ { NULL }
+ };
+@@ -121,10 +126,12 @@
+ */
+
+-/* Determine user ID, and call Tcl with configured basic auth command.
++/* A u t h e t i c a t i o n
++ *
++ * Determine user ID, and call Tcl with configured basic auth command.
+ * Tcl command must return either a string containing the password, or`
+ * an empty string, indicating the user was not found.
+ */
+
+-int authenticate_basic_user_via_tcl (request_rec *r)
++static int authenticate_basic_user_via_tcl (request_rec *r)
+ {
+ tcl_auth_config_rec *sec =
+@@ -134,9 +141,9 @@
+ char errstr[MAX_STRING_LEN];
+ int res;
+-
++
+ if ((res = get_basic_auth_pw (r, &sent_pw))) return res;
+-
+- if(!sec->tcl_basic_auth_command)
+- return DECLINED;
++
++ if(!sec->tcl_basic_auth_command)
++ return DECLINED;
+
+ /*
+@@ -148,5 +155,5 @@
+ */
+ if (Tcl_VarEval(interp, sec->tcl_basic_auth_command, " ", c->user, " ", sent_pw, (char*)0)) {
+- sprintf(errstr,"Tcl auth_command error: %s\n%s",interp->result, Tcl_GetVar(interp, "errorInfo", TCL_GLOBAL_ONLY));
++ sprintf(errstr,"Tcl auth_command error: %s\n%s",interp->result, Tcl_GetVar(interp, "errorInfo", TCL_GLOBAL_ONLY));
+ log_reason (errstr, r->uri, r);
+ note_basic_auth_failure (r);
+@@ -160,8 +167,14 @@
+ return OK;
+ }
+-
+-/* Checking ID */
+-
+-int check_user_access_via_tcl (request_rec *r) {
++
++/* A u t h o r i z a t i o n
++ *
++ * after authenticating who a user is Apache enters the authorizarion phase.
++ * In this phase we determine if this user should be granted access to the
++ * requested location. Naming this routine check_user_authorization_via_tcl
++ * might makes things a bit less confusing
++ */
++
++static int check_user_access_via_tcl (request_rec *r) {
+ tcl_auth_config_rec *sec =
+ (tcl_auth_config_rec *)ap_get_module_config (r->per_dir_config, &tcl_auth_module);
+@@ -175,9 +188,10 @@
+ require_line *reqs;
+
+- /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive,
++ /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive,
+ * then any user will do.
+ */
+ if (!reqs_arr)
+- return (OK);
++ return (OK);
++
+ if (! sec->tcl_basic_access_command)
+ return AUTH_REQUIRED;
+@@ -186,10 +200,10 @@
+
+ for(x=0; x < reqs_arr->nelts; x++) {
+-
++
+ if (! (reqs[x].method_mask & (1 << m))) continue;
+-
++
+ method_restricted = 1;
+
+- t = reqs[x].requirement;
++ t = reqs[x].requirement;
+ code = Tcl_VarEval(interp, sec->tcl_basic_access_command, " ", user, " ", t, (char*)NULL);
+ if (code == TCL_ERROR)
+@@ -206,5 +220,5 @@
+ }
+ }
+-
++
+ if (!method_restricted)
+ return OK;
+@@ -214,4 +228,59 @@
+ }
+
++/* A c c e s s
++ *
++ * Access control doesnt care about user identity, so the user doesnt
++ * need to enter anything. This routine gets called for attempts to
++ * access any file within a directory with a defined access procedure
++ * (through .htaccess or elsewhere). To define an access procedure the
++ * .htacess file should contain a line that looks like this:
++ * TclAccess my_access_procedure
++ * my_access_procedure is a tcl procedure which is defined within
++ * neowebscript (for instance, in neowebscript's init.tcl). This
++ * routine will be passed the name of the file whose access is being
++ * attempted. Note that the access procedure can use the webenv array,
++ * so the file whose access is being attempted is also available as
++ * $webenv(DOCUMENT_URI).
++ * The access procedure must return one of the following:
++ * OK return allows access
++ * FORBIDDEN return denies access
++ * DECLINED return passes decision on to any other handlers
++ * which may exist
++ */
++
++static int ck_direct_access_via_tcl (request_rec *r) {
++ tcl_auth_config_rec *sec =
++ (tcl_auth_config_rec *)ap_get_module_config(r->per_dir_config,
++ &tcl_auth_module);
++ char errstr[MAX_STRING_LEN];
++ int code;
++ char *t;
++
++ if (!sec->tcl_access_command)
++ return DECLINED;
++
++ propagate_vars_to_nws(interp, r) ;
++
++ code = Tcl_VarEval(interp, sec->tcl_access_command, " ",
++ r->filename, (char*)NULL);
++ if (code == TCL_ERROR) {
++ sprintf(errstr,"Tcl ck_direct_access call error: %s\n%s",
++ interp->result,
++ Tcl_GetVar(interp, "errorInfo", TCL_GLOBAL_ONLY));
++ log_reason (errstr, r->uri, r);
++ return DECLINED ;
++ }
++
++ if (strcmp(interp->result,"OK") == 0)
++ return OK ;
++ if (strcmp(interp->result,"DECLINED") == 0)
++ return DECLINED ;
++ if (strcmp(interp->result,"FORBIDDEN") == 0)
++ return FORBIDDEN ;
++
++ /* there is an access routine but we dont understand it's return, so */
++ return DECLINED ;
++}
++
+ module tcl_auth_module = {
+ STANDARD_MODULE_STUFF,
+@@ -224,7 +293,7 @@
+ NULL, /* handlers */
+ NULL, /* filename translation */
+- authenticate_basic_user_via_tcl, /* check_user_id */
+- check_user_access_via_tcl, /* check auth */
+- NULL, /* check access */
++ authenticate_basic_user_via_tcl, /* authentication - who is it? */
++ check_user_access_via_tcl, /* authorization - do we let him/her in? */
++ ck_direct_access_via_tcl, /* access (for instance by host id) */
+ NULL, /* type_checker */
+ NULL, /* fixups */
+--- ../htdocs/neowebscript/sysopinfo/management.nhtml Mon Nov 22 02:33:45 1999
++++ ../htdocs/neowebscript/sysopinfo/management.nhtml Wed Jan 9 16:48:55 2002
+@@ -30,2 +30,12 @@
+ <p>
++<li>TclAccess <i>script</i>
++<p>
++This directive can be used to allow or forbid access without user's
++input -- based, for example, on credentials like IP address, referrer,
++a cookie, etc. The script is appended the name of the requested
++file before being evaluated and is expected to return OK, FORBIDDEN,
++or DECLINED. The latter means this script "did not care" and the
++other access control mechanisms should be consulted.
++
++<p>
+ <li>TclAuthBasic <i>procname arg1 arg2 ... </i>