httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ge...@apache.org
Subject cvs commit: httpd-2.0 CHANGES
Date Tue, 23 Mar 2004 13:57:48 GMT
geoff       2004/03/23 05:57:48

  Modified:    modules/aaa mod_auth_digest.c
               .        CHANGES
  Log:
  work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
  is set in r->subprocess_env allow mismatched query strings to pass.
  PR: 27758
  
  Revision  Changes    Path
  1.87      +27 -0     httpd-2.0/modules/aaa/mod_auth_digest.c
  
  Index: mod_auth_digest.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/aaa/mod_auth_digest.c,v
  retrieving revision 1.86
  retrieving revision 1.87
  diff -u -r1.86 -r1.87
  --- mod_auth_digest.c	21 Feb 2004 00:53:18 -0000	1.86
  +++ mod_auth_digest.c	23 Mar 2004 13:57:48 -0000	1.87
  @@ -1671,8 +1671,35 @@
           if (d_uri.path) {
               ap_unescape_url(d_uri.path);
           }
  +
           if (d_uri.query) {
               ap_unescape_url(d_uri.query);
  +        }
  +        else if (r_uri.query) {
  +            /* MSIE compatibility hack.  MSIE has some RFC issues - doesn't 
  +             * include the query string in the uri Authorization component
  +             * or when computing the response component.  the second part
  +             * works out ok, since we can hash the header and get the same
  +             * result.  however, the uri from the request line won't match
  +             * the uri Authorization component since the header lacks the 
  +             * query string, leaving us incompatable with a (broken) MSIE.
  +             * 
  +             * the workaround is to fake a query string match if in the proper
  +             * environment - BrowserMatch MSIE, for example.  the cool thing
  +             * is that if MSIE ever fixes itself the simple match ought to 
  +             * work and this code won't be reached anyway, even if the
  +             * environment is set.
  +             */
  +
  +            if (apr_table_get(r->subprocess_env, 
  +                              "AuthDigestEnableQueryStringHack")) {
  +            
  +                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "Digest: "
  +                              "applying AuthDigestEnableQueryStringHack "
  +                              "to uri <%s>", resp->raw_request_uri);
  +
  +               d_uri.query = r_uri.query;
  +            } 
           }
   
           if (r->method_number == M_CONNECT) {
  
  
  
  1.1432    +4 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.1431
  retrieving revision 1.1432
  diff -u -r1.1431 -r1.1432
  --- CHANGES	21 Mar 2004 11:13:12 -0000	1.1431
  +++ CHANGES	23 Mar 2004 13:57:48 -0000	1.1432
  @@ -2,6 +2,10 @@
   
     [Remove entries to the current 2.0 section below, when backported]
   
  +  *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
  +     is set in r->subprocess_env allow mismatched query strings to pass.
  +     PR 27758.  [Paul Querna <chip force-elite.com>, Geoffrey Young]
  +
     *) logresolve: Allow size of log line buffer to be overridden at
        build time (MAXLINE).  PR 27793.  [Jeff Trawick]
   
  
  
  

Mime
View raw message