Index: branches/fc20-dev/server/common/patches/httpd-allow-null-user.patch
===================================================================
--- branches/fc20-dev/server/common/patches/httpd-allow-null-user.patch	(revision 2582)
+++ branches/fc20-dev/server/common/patches/httpd-allow-null-user.patch	(revision 2582)
@@ -0,0 +1,62 @@
+From a60a2c6a87331510847de401323bcdf3b9895838 Mon Sep 17 00:00:00 2001
+From: Adam Glasgall <glasgall@mit.edu>
+Date: Tue, 26 Aug 2014 17:47:45 -0400
+Subject: [PATCH] Remove r->user != NULL check from ap_process_request_internal
+
+After the check_user_id hook runs, Apache checks to make sure it's
+identified a user and aborts if this is not the case, to protect the
+auth_checker hook from accidental null pointer
+dereferences. Unfortunately, Scripts's mod_auth_optional relies on
+being able to have r->user still be NULL after check_user_id has run.
+
+This patch removes the null check. I believe this is safe because
+mod_auth_optional installs its auth_checker hook forcibly at the head
+of the hook chain, and said hook ends authz processing immediately if
+the directory in question has AuthOptional and no default user.
+
+Signed-off-by: Adam Glasgall <glasgall@mit.edu>
+---
+ server/request.c | 20 --------------------
+ 1 file changed, 20 deletions(-)
+
+diff --git a/server/request.c b/server/request.c
+index af0a697..9d7e29d 100644
+--- a/server/request.c
++++ b/server/request.c
+@@ -244,16 +244,6 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
+                 if ((access_status = ap_run_check_user_id(r)) != OK) {
+                     return decl_die(access_status, "check user", r);
+                 }
+-                if (r->user == NULL) {
+-                    /* don't let buggy authn module crash us in authz */
+-                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00027)
+-                                  "No authentication done but request not "
+-                                  "allowed without authentication for %s. "
+-                                  "Authentication not configured?",
+-                                  r->uri);
+-                    access_status = HTTP_INTERNAL_SERVER_ERROR;
+-                    return decl_die(access_status, "check user", r);
+-                }
+                 if ((access_status = ap_run_auth_checker(r)) != OK) {
+                     return decl_die(access_status, "check authorization", r);
+                 }
+@@ -281,16 +271,6 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
+                 if ((access_status = ap_run_check_user_id(r)) != OK) {
+                     return decl_die(access_status, "check user", r);
+                 }
+-                if (r->user == NULL) {
+-                    /* don't let buggy authn module crash us in authz */
+-                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00028)
+-                                  "No authentication done but request not "
+-                                  "allowed without authentication for %s. "
+-                                  "Authentication not configured?",
+-                                  r->uri);
+-                    access_status = HTTP_INTERNAL_SERVER_ERROR;
+-                    return decl_die(access_status, "check user", r);
+-                }
+                 if ((access_status = ap_run_auth_checker(r)) != OK) {
+                     return decl_die(access_status, "check authorization", r);
+                 }
+-- 
+1.9.1
+