httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject RE: protocol/1195: Bug in Authentication header (fwd)
Date Thu, 23 Oct 1997 21:31:00 GMT


On Thu, 23 Oct 1997, Lars Eilebrecht wrote:

> According to Dean Gaudet:
> 
> >  There are dozens of directives taking RAW_ARGS which should be taking
> >  TAKE1 ... which gets properly dequoted and such.  Fixing most of them
> >  won't pose config problems with existing configs... unfortunately changing
> >  AuthName probably would cause config problems.
> 
> Ok, here is an overview of directives using RAW_ARGS:
> 
> The following directives _maybe_ changed to use TAKEx/ITERATE without causing
> config problems:
> 
>   SetEnv         -> TAKE2
>   PassEnv        -> ITERATE
>   UnsetEnv       -> ITERATE
>   RewriteCond    -> TAKE23
>   RewriteRule    -> TAKE23
>   UserDir        -> TAKE1
>   Require        -> ITERATE
>   AccessFileName -> ITERATE
>   AllowOverride  -> ITERATE
>   Options        -> ITERATE
>   IndexOptions   -> ITERATE
>   DirectoryIndex -> ITERATE
> 
> 
> If someone invents ITERATE3 we can avoid RAW_ARGS for the following
> directives:
> 
>   SetEnvIf
>   SetEnvIfNoCase
> 
> 
> For the following directives it is IMHO ok to use RAW_ARGS:
> 
>   ErrorDocument (due to the <"> hack)
>   <Directory>
>   <DirectoryMatch>
>   <Location>
>   <LocationMatch>
>   <VirtualHost>
>   <Files>
>   <FilesMatch>
>   <Limit>
>   <IfModule>

+1 all of the above.

> But back to AutName...
> 
> The AuthName directive can simply be changed to use TAKE1, but as Dean
> already mentioned it likely will break some configs. But IMHO it is
> acceptable. But there will still be some people who try to do things
> like this:
> 
>   AuthName "This is a \"quoted\" string" 
> 
> The result will be an invalid WWW-Authenticate header, because quotes are not
> allowed (any 8bit octet, but octects 0-31, 127 and <"> are allowed).

Wow, really?  That's really lame, there's no way to do other languages? 
We should really enforce these rules.

I'm +1 on switching to TAKE1, enforcing those rules, and documenting the
change in upgrading_to_1_3.

Dean


Mime
View raw message