--- frontpage/version5.0/apache2/mod_frontpage.c.orig Thu Jan 9 12:19:30 2003
+++ frontpage/version5.0/apache2/mod_frontpage.c Wed Feb 12 11:29:29 2003
@@ -578,6 +578,32 @@
* Thanks to Scot Hetzel (hetzels@westbend.net)
*/
ap_add_version_component(p, "FrontPage/5.0.2.2635");
+
+ while (s != NULL) {
+ cgid_server_conf* c = ap_get_module_config(s->module_config, &frontpage_module);
+ if (c->fp_status == -1)
+#ifdef DEFAULT_TO_OFF
+ c->fp_status = FALSE;
+#else
+ c->fp_status = TRUE;
+#endif
+ if (!c->fp_status)
+ ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, s,
+ "FrontPage disabled for server %s:%d\n",
+ s->server_hostname, s->port);
+ if (c->fp_admin_status == -1)
+#ifdef DEFAULT_TO_OFF
+ c->fp_admin_status = FALSE;
+#else
+ c->fp_admin_status = TRUE;
+#endif
+ if (!c->fp_admin_status)
+ ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, s,
+ "FrontPage Administration pages disabled for server %s:%d\n",
+ s->server_hostname, s->port);
+ s = s->next;
+ }
+
return OK;
}
@@ -836,6 +862,27 @@
/*
+ * We *MUST* have been authenticated somehow for AUTHOR or ADMIN requests.
+ * This prevents the single largest hole in FrontPage: if the user somehow
+ * deletes their .htaccess files anyone can gain FrontPage AUTHOR or ADMIN
+ * privileges. With this check we won't allow ADMIN or AUTHOR unless _some_
+ * authentication was performed.
+ */
+static int FrontPageNeedAuth(
+ request_rec* r,
+ char* szCgi,
+ const char* szFpexe)
+{
+ if ((r->user == NULL) || (r->ap_auth_type == NULL)) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ "server configuration did not require authentication: %s", r->filename);
+ return HTTP_UNAUTHORIZED;
+ } else {
+ return FrontPageAlias(r, szCgi, szFpexe);
+ }
+}
+
+/*
* This routine looks for shtml.exe, fpcount.exe, author.exe and admin.exe
* in a URI, and if found we call FrontPageAlias() to check for a valid
* FrontPage scenario.
@@ -847,6 +894,7 @@
{
char* szVti;
char* szCgi;
+ cgid_server_conf *c;
/*
* Decline if we're improperly initialized.
@@ -855,6 +903,13 @@
return DECLINED;
/*
+ * Decline if we have disabled FrontPage on the server.
+ */
+ c = (cgid_server_conf *)ap_get_module_config (r->server->module_config, &frontpage_module);
+ if (!c->fp_status)
+ return HTTP_FORBIDDEN;
+
+ /*
* Check once for anything with _vti_bin. This is much faster than
* checking all our paths, because anything without this is definitely
* not a FrontPage scenario.
@@ -875,7 +930,7 @@
return FrontPageAlias(r, szCgi, AUTHOR);
/*
* Convert inadvertent shtml.dll to shtml.exe
- * Thanks for the idea to Scot Hetzel (hetzels@westbend.net)
+ * Thanks for the idea from Scot Hetzel (hetzels@westbend.net)
*/
if ((szCgi = strstr(szVti, SHTML2 )))
{
@@ -885,9 +940,17 @@
if ((szCgi = strstr(szVti, SHTML )))
return FrontPageAlias(r, szCgi, SHTML);
if ((szCgi = strstr(szVti, ADMIN )))
- return FrontPageAlias(r, szCgi, ADMIN);
+ if (c->fp_admin_status) {
+ return FrontPageAlias(r, szCgi, ADMIN);
+ } else {
+ return HTTP_FORBIDDEN;
+ }
if ((szCgi = strstr(szVti, ADMINCGI )))
- return FrontPageAlias(r, szCgi, ADMINCGI);
+ if (c->fp_admin_status) {
+ return FrontPageAlias(r, szCgi, ADMINCGI);
+ } else {
+ return HTTP_FORBIDDEN;
+ }
if ((szCgi = strstr(szVti, FPCOUNT)))
return FrontPageAlias(r, szCgi, FPCOUNT);
