httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From n..@apache.org
Subject svn commit: r574021 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy_http.c
Date Sun, 09 Sep 2007 15:38:08 GMT
Author: niq
Date: Sun Sep  9 08:38:08 2007
New Revision: 574021

URL: http://svn.apache.org/viewvc?rev=574021&view=rev
Log:
Propagate Proxy-Authorization header correctly
PR 25947
RFC2616 tells us:
  (1) If we haven't authenticated, we must pass the header on.
  (2) If we have authenticated, we MAY pass it on.
I've made the latter case configurable by ENV(Proxy-Chain-Auth).

Also, Proxy-Authenticate is a response header, and doesn't belong
in a check of request headers.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/proxy/mod_proxy_http.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=574021&r1=574020&r2=574021&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Sep  9 08:38:08 2007
@@ -2,6 +2,9 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) mod_proxy_http: Propagate Proxy-Authorization header correctly.
+     PR 25947 [Nick Kew]
+
   *) mod_proxy: escape error-notes correctly
      PR 40952 [Thijs Kinkhorst <thijs debian.org>]
 

Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_http.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?rev=574021&r1=574020&r2=574021&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/proxy/mod_proxy_http.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy_http.c Sun Sep  9 08:38:08 2007
@@ -748,19 +748,22 @@
              || !strcasecmp(headers_in[counter].key, "Trailer")
              || !strcasecmp(headers_in[counter].key, "Upgrade")
 
-            /* XXX: @@@ FIXME: "Proxy-Authorization" should *only* be
-             * suppressed if THIS server requested the authentication,
-             * not when a frontend proxy requested it!
-             *
-             * The solution to this problem is probably to strip out
-             * the Proxy-Authorisation header in the authorisation
-             * code itself, not here. This saves us having to signal
-             * somehow whether this request was authenticated or not.
-             */
-             || !strcasecmp(headers_in[counter].key,"Proxy-Authorization")
-             || !strcasecmp(headers_in[counter].key,"Proxy-Authenticate")) {
+             ) {
             continue;
         }
+	/* Do we want to strip Proxy-Authorization ?
+	 * If we haven't used it, then NO
+	 * If we have used it then MAYBE: RFC2616 says we MAY propagate it.
+	 * So let's make it configurable by env.
+	 */
+        if (!strcasecmp(headers_in[counter].key,"Proxy-Authorization")) {
+            if (r->user != NULL) { /* we've authenticated */
+                if (!apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) {
+                    continue;
+                }
+	    }
+	}
+
 
         /* Skip Transfer-Encoding and Content-Length for now.
          */



Mime
View raw message