httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 42120] New: - Apache authentication doesn't properly handle parameters in URL matching
Date Fri, 13 Apr 2007 21:20:27 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42120>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42120

           Summary: Apache authentication doesn't properly handle parameters
                    in URL matching
           Product: Apache httpd-2
           Version: 2.2.4
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_auth
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: dopey@moonteeth.com


If a Location block is tagged as requiring auth.
For example
<Location /somewhere>
  AuthName "REalm"
  AuthType Basic
  AuthBasicProvider ldapProvider
  require valid-user
</Location>

A hit to http://server/somewhere or http://server/somewhere/ will be challenged
for authentication.  However
http://server/somewhere;parameter=value will not be challenged.

I believe this is incorrect as per RFC 2396:
3.3. Path Component

   The path component contains data, specific to the authority (or the
   scheme if there is no authority component), identifying the resource
   within the scope of that scheme and authority.

      path          = [ abs_path | opaque_part ]

      path_segments = segment *( "/" segment )
      segment       = *pchar *( ";" param )
      param         = *pchar

      pchar         = unreserved | escaped |
                      ":" | "@" | "&" | "=" | "+" | "$" | ","

   The path may consist of a sequence of path segments separated by a
   single slash "/" character.  Within a path segment, the characters
   "/", ";", "=", and "?" are reserved.  Each path segment may include a
   sequence of parameters, indicated by the semicolon ";" character.
   The parameters are not significant to the parsing of relative
   references.

The last sentence I believe is saying that the parameter is not significant in
terms of the actual referenced path segment.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message