Received: (from majordom@localhost)
	by hyperreal.org (8.8.5/8.8.5) id XAA00364;
	Sat, 16 Aug 1997 23:50:26 -0700 (PDT)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
	by hyperreal.org (8.8.5/8.8.5) with ESMTP id XAA00358
	for <new-httpd@apache.org>; Sat, 16 Aug 1997 23:50:23 -0700 (PDT)
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.8.5/8.8.5) with UUCP id AAA12566
	for new-httpd@apache.org; Sun, 17 Aug 1997 00:50:21 -0600 (MDT)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3)
 with SMTP id AAA24715 for <new-httpd@apache.org>;
 Sun, 17 Aug 1997 00:46:35 -0600 (MDT)
Date: Sun, 17 Aug 1997 00:46:35 -0600 (MDT)
From: Marc Slemko <marcs@znep.com>
To: TLOSAP <new-httpd@apache.org>
Subject: mod_proxy/668: Two problems with user:password@host URLs (fwd)
Message-ID: <Pine.BSF.3.95.970817004439.15636w-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

ISTR some out-of-band discussion on this one that isn't in the PR database
but is probably in the apache-bugdb archives...

What is a client doing sending such requests anyway?  I wasn't aware that
such a form was valid for anything except specifying URLs to clients; the
client is supposed to process it and use the appropriate method for the
protocol.

---------- Forwarded message ----------
Date: Wed, 4 Jun 1997 03:00:02 -0700 (PDT)
From: Lyonel VINCENT <vincent@trotek05.trotek.ec-lyon.fr>
To: apache-bugdb@apache.org
Cc: apache-bugdb@apache.org
Subject: mod_proxy/668: Two problems with user:password@host URLs


>Number:         668
>Category:       mod_proxy
>Synopsis:       Two problems with user:password@host URLs
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Jun  4 03:00:01 1997
>Originator:     vincent@hpwww.ec-lyon..fr
>Organization:
apache
>Release:        1.2b10
>Environment:
HP-UX atropos B.10.20 A 9000/803 2006896634 two-user license
ansi C
>Description:
* The standard mod_proxy just does not understand http://user:password@host/
requests and refuses to handle them.
* the proxy module logs the sent user/password pairs in the logfile => security
problem.
>How-To-Repeat:
Just use Netscape Gold and give it a default user/password pair then publish
your document through the proxy. Netscape will send something like
  PUT http://user:password@host/document HTTP/1.0
which gets the proxy confused.
>Fix:
I have fixed the problems by modifying proxy_http.c and mod_proxy.c -- where
can I send the solution %3
>Audit-Trail:
>Unformatted: