Return-Path: <new-httpd-owner-new-httpd-archive=hyperreal.org@apache.org>
Delivered-To: new-httpd-archive@hyperreal.org
Received: (qmail 29514 invoked by uid 6000); 23 Oct 1997 09:33:35 -0000
Received: (qmail 29507 invoked from network); 23 Oct 1997 09:33:33 -0000
Received: from twinlark.arctic.org (204.62.130.91)
  by taz.hyperreal.org with SMTP; 23 Oct 1997 09:33:33 -0000
Received: (qmail 18496 invoked by uid 500); 23 Oct 1997 09:34:17 -0000
Date: Thu, 23 Oct 1997 02:34:17 -0700 (PDT)
From: Dean Gaudet <dgaudet@arctic.org>
To: new-httpd@apache.org
Subject: protocol/1195: Bug in Authentication header (fwd)
Message-ID: <Pine.LNX.3.95dg3.971023023205.15852E-100000@twinlark.arctic.org>
Organization: Transmeta Corp.
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

There are dozens of directives taking RAW_ARGS which should be taking
TAKE1 ... which gets properly dequoted and such.  Fixing most of them
won't pose config problems with existing configs... unfortunately changing
AuthName probably would cause config problems.

I'd personally like to see all of them fixed (i.e. using TAKE1) so that
the config file syntax is a wee bit more sane. 

Dean

---------- Forwarded message ----------
Date: Fri, 3 Oct 1997 10:10:02 -0700 (PDT)
From: Nicolai Langfeldt <janl@math.uio.no>
To: apache-bugdb@apache.org
Cc: apache-bugdb@apache.org
Subject: protocol/1195: Bug in Authentication header


>Number:         1195
>Category:       protocol
>Synopsis:       Bug in Authentication header
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Oct  3 10:10:01 1997
>Originator:     janl@math.uio.no
>Organization:
apache
>Release:        1.2.4
>Environment:
HP-UX 10.01, however that seems N/A
>Description:
Given

AuthName "Two words"
AuthType Basic

in a .htaccess file apache produces an ilegal WWW-Authenticate header:

$ telnet www.math.uio.no 80
Trying 129.240.223.53...
Connected to kryseis.uio.no.
Escape character is '^]'.
GET /~janl/test HTTP/1.0

HTTP/1.1 401 Authorization Required
Date: Fri, 03 Oct 1997 17:00:57 GMT
Server: Apache/1.2.4
WWW-Authenticate: Basic realm=""Two words""
Connection: close
Content-Type: text/html

Note double quotes in the realm spec.  You need not use the quotes in
the realm spec in the .htaccess file, but people will be liable to
if the realm name contains HWS.
>How-To-Repeat:
Specified above
>Fix:
N
>Audit-Trail:
>Unformatted: