Hi,
if you have an Apache configuration that doesn't request
authentication,
but still uses AuthzForceUsernameCase, this will crash Apache on each
request:
<Location /svn/no-auth>
DAV svn
SVNPath /repos/no-auth
AuthzSVNAccessFile /admin/no-auth.txt
AuthzForceUsernameCase lower
</Location>
(and no "require ..." stuff in any enclosing Location either).
I know, it's a silly configuration - I stumbled upon it by accident.
Reason is that get_username_to_authorize() tries to lowercase a NULL r-
>user string.
Suggested patch (against 1.7.0-beta1, but that code hasn't changed in
a long time):
--- subversion/mod_authz_svn/mod_authz_svn.c.orig 2011-07-21
16:00:39.663920000 +0200
+++ subversion/mod_authz_svn/mod_authz_svn.c 2011-07-21
16:00:55.006891000 +0200
@@ -245,7 +245,7 @@
get_username_to_authorize(request_rec *r, authz_svn_config_rec *conf)
{
char *username_to_authorize = r->user;
- if (conf->force_username_case)
+ if (username_to_authorize && conf->force_username_case)
{
username_to_authorize = apr_pstrdup(r->pool, r->user);
convert_case(username_to_authorize,
Cheers, Roderich
