httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 31638] New: - POST request body counts as part of next request header when BASIC authentification is used
Date Mon, 11 Oct 2004 10:24:23 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31638>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=31638

POST request body counts as part of next request header when BASIC authentification is used

           Summary: POST request body counts as part of next request header
                    when BASIC authentification is used
           Product: Apache httpd-1.3
           Version: 1.3.31
          Platform: Sun
        OS/Version: Solaris
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Auth/Access
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: a.panfilov@equant.ru
                CC: a.panfilov@equant.ru


We have an perl script accessed via WEB and protected by BASIC authorization
method. Clients requests script using HTTP POST method, opening separate session
(and processing authorization cycle as well) for each request. In previous
version of Apache (1.3.27) everything was OK. After upgrade to 1.3.31, we've got
trouble well seen in following access_log extract:

172.16.0.14 - - [11/Oct/2004:12:26:01 +0400] "POST /guacsc/guacsc.pl HTTP/1.1"
401 490
172.16.0.14 - gazhariga [11/Oct/2004:12:26:13 +0400] "mode=WPOST
/guacsc/guacsc.pl HTTP/1.1" 500 628
-------------------------------------------------------^^^^^^^

As we suspects, following sequence occured:
1. Client sends a POST request with some parameters in it's body ("mode=W")
2. Apache sends an "Authorization required (401)" response immediately after
request header is read
3. Client sends a second request with authorization information
4. Apache accepts authorization, but aggregates first request body with second
request header (as marked in log above), so request parameters are lost and are
not passed to the script.
5. So script fails with 500 error.  

We use following simple html to test a trouble:
<html>
<body>
<form action="http://sun-lpp:8880/guacsc/guacsc.pl" method="POST">
<input type="hidden" name="mode" value="W">
<input type="submit">
</form>
</body>
</html>

Apache is installed on Sun Solaris Platform (SunFire 880 + Sun Solaris OS v.2.8).
Related Apache configuration part (httpd.conf):
 ScriptAlias /guacsc/ "/usr/local/guacsc/cgi-bin/"
        <Directory "/usr/local/guacsc/cgi-bin">
                AllowOverride AuthConfig
                Options None
                Order allow,deny
                Allow from all
        </Directory>

Other settings are left default.

Trouble not depends on HTTP client used (we tested with IE 6, NN 7 and Jakarta
HttpClient 2.0 lib), but not always happens in other configurations (e.g. in Red
Hat behind firewalls environment we have no troubles with common browsers, but
have same trouble with HttpClient lib).

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message