Received: (from majordom@localhost) by hyperreal.com (8.8.5/8.8.5) id MAA15217; Thu, 22 May 1997 12:26:53 -0700 (PDT) Received: from pool.pipex.net (pool.pipex.net [158.43.128.24]) by hyperreal.com (8.8.5/8.8.5) with SMTP id MAA15209 for ; Thu, 22 May 1997 12:26:50 -0700 (PDT) Received: (qmail 10278 invoked from smtpd); 22 May 1997 19:26:47 -0000 Received: from imdb.demon.co.uk (HELO localhost.imdb.com) (194.222.68.23) by pool.pipex.net with SMTP; 22 May 1997 19:26:46 -0000 Date: Thu, 22 May 1997 20:26:25 +0100 (BST) From: Rob Hartill To: Apache Group Subject: Forwarded mail.... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org Date: Thu, 22 May 97 16:09:23 +0200 From: Tankred Hirschmann Message-Id: <9705221409.AA03530@mpg-ana.uni-potsdam.de> Apparently-To: Bcc: To whom it may concern, I plan to substitute the old fasion NCSA httpd 1.4.2 (which serves our Web-Site) by the apache daemon (v. 1.2.b10). Thus I tested in a preliminary phase nearly any of the configuration directives... During this I found following points of question: mod_digest: ---------- A request of a ressource which requires digest authorization can contain a request header Authorization: Digest ... nonce="value", ... there `value' is an ARBITRARY string. It seems that there is absolutely no correlation with a nonce-value given in a previous response-header necessary. Indeed, by a very coarse view through the source code I didn't found any usage of the "nonce" else the check of its existence in the appropriate header line. Therefore the current implementation is as secure as it were without any `nonce'. The HTTP/1.1 RFC characterize this as security flaw... Are there plans to change this implementation in future (beta) releases? mod_header: ---------- The header "replace/remove" directive only workes with headers comming from other header directives. But a "hard-wired" header produced by a cgi-script or a asis-file (or induced by a cern_meta construct) remains untouched. Is this behavior purposed? If it is, a statement in the manual about this fact may be helpful. It would be nice to help me with some remarks about these points. Good luck with your beautiful project and Thanks in advance Tankred Hirschmann ------------------------------------------------------------------------------ Dr. Tankred Hirschmann Tel.: +49 (331) 977-1186 oder -1178 Universitaet Potsdam Tel.: +49 (331) 977-1269 (Sekretariat) Institut fuer Mathematik Fax: +49 (331) 977-1440 Am Neuen Palais 10 (Haus 8) e-mail: th@mpg-ana.uni-potsdam.de 14469 Potsdam WWW: http://www.mpg-ana.uni-potsdam.de/~th/ Germany ------------------------------------------------------------------------------