From: Isaac Boukris <iboukris@gmail.com>
Date: Sun, 7 Jun 2015 21:52:30 +0000 (+0300)
Subject: Disable connection-bound for basic-auth
X-Git-Tag: v1.3.0~31
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=commitdiff_plain;h=9cfa62da9119d2cd62314e5328215f8ea45c64b1;ds=sidebyside

Disable connection-bound for basic-auth

Clients don't expect this and therefore might inappropriately reuse the
connection for another user identity (with or without creds).

This is currently more of an issue due to issue 22, example:
curl -v http://myhost/ -u usera:passa --next http://myhost/ -u userb:passb

Closes #36

Reviewed-by: Simo Sorce <simo@redhat.com>
---

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index d351777..a88b653 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -579,6 +579,10 @@ static int mag_auth(request_rec *req)
         goto done;
     }
     if (auth_type == AUTH_TYPE_BASIC) {
+        if (mc) {
+            apr_pool_cleanup_run(mc->parent, mc, mag_conn_destroy);
+            mc = NULL;
+        }
         while (maj == GSS_S_CONTINUE_NEEDED) {
             gss_release_buffer(&min, &input);
             /* output and input are inverted here, this is intentional */