httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lars Eilebrecht <Lars.Eilebre...@unix-ag.org>
Subject RE: protocol/1195: Bug in Authentication header (fwd)
Date Thu, 23 Oct 1997 21:16:55 GMT
According to Dean Gaudet:

>  There are dozens of directives taking RAW_ARGS which should be taking
>  TAKE1 ... which gets properly dequoted and such.  Fixing most of them
>  won't pose config problems with existing configs... unfortunately changing
>  AuthName probably would cause config problems.

Ok, here is an overview of directives using RAW_ARGS:

The following directives _maybe_ changed to use TAKEx/ITERATE without causing
config problems:

  SetEnv         -> TAKE2
  PassEnv        -> ITERATE
  UnsetEnv       -> ITERATE
  RewriteCond    -> TAKE23
  RewriteRule    -> TAKE23
  UserDir        -> TAKE1
  Require        -> ITERATE
  AccessFileName -> ITERATE
  AllowOverride  -> ITERATE
  Options        -> ITERATE
  IndexOptions   -> ITERATE
  DirectoryIndex -> ITERATE


If someone invents ITERATE3 we can avoid RAW_ARGS for the following
directives:

  SetEnvIf
  SetEnvIfNoCase


For the following directives it is IMHO ok to use RAW_ARGS:

  ErrorDocument (due to the <"> hack)
  <Directory>
  <DirectoryMatch>
  <Location>
  <LocationMatch>
  <VirtualHost>
  <Files>
  <FilesMatch>
  <Limit>
  <IfModule>


But back to AutName...

The AuthName directive can simply be changed to use TAKE1, but as Dean
already mentioned it likely will break some configs. But IMHO it is
acceptable. But there will still be some people who try to do things
like this:

  AuthName "This is a \"quoted\" string" 

The result will be an invalid WWW-Authenticate header, because quotes are not
allowed (any 8bit octet, but octects 0-31, 127 and <"> are allowed).


ciao...
-- 
Lars Eilebrecht                      - "Humans are communications junkies.
sfx@unix-ag.org                     - We just can't get enough." (Alan Kay)
http://www.si.unix-ag.org/~sfx/

Mime
View raw message