Merge pull request #1645 from benrubson/issue1644

Apache URIs can contain spaces
2017-04-21 10:47:12 +02:00 · 2017-04-21 10:47:12 +02:00 · dffda63d59
parent efd6fff7a0 311f8fea83
commit dffda63d59
1 changed files with 19 additions and 17 deletions
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@ -14,19 +14,18 @@ prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$
 # auth_type = ((?:Digest|Basic): )?
 auth_type = ([A-Z]\w+: )?

-failregex = ^client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
-            ^user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
-            ^user .*? not found(: )?\S*(, referer: \S+)?\s*$
-            ^client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
-            ^Authorization of user \S+ to access \S* failed, reason: .*$
-            ^%(auth_type)suser .*?: password mismatch: \S*(, referer: \S+)?\s*$
-            ^%(auth_type)suser `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
-            ^user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
+failregex = ^client denied by server configuration\b
+            ^user <F-USER>(?:\S*|.*?)</F-USER> auth(?:oriz|entic)ation failure\b
+            ^user <F-USER>(?:\S*|.*?)</F-USER> not found\b
+            ^client used wrong authentication scheme\b
+            ^Authorization of user <F-USER>(?:\S*|.*?)</F-USER> to access .*? failed\b
+            ^%(auth_type)suser <F-USER>(?:\S*|.*?)</F-USER>: password mismatch\b
+            ^%(auth_type)suser `<F-USER>(?:[^']*|.*?)</F-USER>' in realm `.+' (not found|denied by provider)\b
            ^%(auth_type)sinvalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
-            ^%(auth_type)srealm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
-            ^%(auth_type)sunknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
-            ^invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
-            ^%(auth_type)sinvalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$
+            ^%(auth_type)srealm mismatch - got `(?:[^']*|.*?)' but expected `.+'(, referer: \S+)?\s*$
+            ^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b
+            ^invalid qop `(?:[^']*|.*?)' received\b
+            ^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b

 ignoreregex = 

@ -47,14 +46,17 @@ ignoreregex =
 # all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
 # to return the actual failure.
 #
+# Note that URI can contain spaces.
+#
 # See also: http://wiki.apache.org/httpd/ListOfErrors
 # Expressions that don't have tests and aren't common.
 # more be added with  https://issues.apache.org/bugzilla/show_bug.cgi?id=55284 
-#     ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
-#     ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
-#     ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$
+#     ^user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
+#     ^user .*: one-time-nonce mismatch - sending new nonce\s*$
+#     ^realm mismatch - got `(?:[^']*|.*?)' but no realm specified\s*$
 #
-# referer is always in error log messages if it exists added as per the log_error_core function in server/log.c
+# Because url/referer are foreign input, short form of regex used if long enough to idetify failure.
 # 
 # Author: Cyril Jaquier
-# Major edits by Daniel Black and Sergey Brester (sebres)
+# Major edits by Daniel Black and Ben Rubson.
+# Rewritten for v.0.10 by Sergey Brester (sebres).