Allowed directory change in username input

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Specify the location of the user authentication file in the apache 
configuration file as specified in the documentation for GoogleAuthUserPath to 
something like: /var/lib/www/ga_auth
2. Create a user file such as "testaccess@someplace.org" in an incorrect 
directory such as /var/lib/www. So that it is 
/var/lib/www/testaccess@someplace.org.
3. At the Apache web authentication prompt, put as the username as 
../testaccess@someplace.org
4. Enter the expected password and code in the password field.

What is the expected output? What do you see instead?
Expected response from the web server is to deny access and ignore the parent 
path specifier in the username, as no file of testaccess@someplace.org exists 
in /var/lib/www/ga_auth as specified in GoogleAuthUserPath. However, login is 
successful and the file outside the specified GoogleAuthUserPath is read and 
accepted anyways.

What version of the product are you using? On what operating system?
R21 on CentOS 6.4 with Apache 2.2.15.

Original issue reported on code.google.com by James.Ha...@gmail.com on 10 Oct 2013 at 4:43

[GoogleCodeExporter]

Sorry, I forgot to mention why this is a significant defect, in that this is a 
security risk to allow directory walking through the username field to allow 
execution or reading of arbitrary files in the operating system that may result 
in unexpected code execution or denial of service. Especially if the scratch 
code reading is designed where it may be necessary to write to a file to update 
the fact a code has been used. This may inadvertently allow people to corrupt 
files elsewhere in the file system by specifying a file elsewhere.

Original comment by James.Ha...@gmail.com on 10 Oct 2013 at 4:48