httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodent of Unusual Size <Ken.C...@Golux.Com>
Subject Re: [STATUS] 1.3b4-dev Fri Dec 12 16:25:52 EST 1997
Date Tue, 16 Dec 1997 03:06:51 GMT
Jim Jagielski wrote:
> As of:
>     Fri Dec 12 16:25:52 EST 1997
> Available:
>     * Dean's protocol/1195: Bug in Authentication header (fwd)
>         <>
>         Status: Conceptual: Dean +1, Paul +1, Martin +1, Ken +1

Erm, this shouldn't be under "available," because there isn't a patch
for it yet.

I've played around with this, and looked at RFC2068 sections 11 (which says
that the realm name is a quoted-string) and 2.2 (which says that a
quoted-string can contain anything except '"' itself and ASCII values
{0-31,127}).  Section 2.2 also says:

:   The backslash character ("\") may be used as a single-character quoting
:   mechanism only within quoted-string and comment constructs.

so it's unclear to me whether "a string with a \"" is a valid realm name
or not.  (Roy?)

To recap, the current behaviour of

  AuthName "A Nice Place"

results in 'realm = ""A Nice Place""'.  Changing AuthName to TAKE1 doesn't
completely solve this problem, since

  AuthName "a string with a \""

will result in 'realm = "a string with a ""' being sent - the escape is

If quoted strings can't contain \" then I have a patch for this issue.  If
they can, a little more work needs to be done to re-insert the slosh the
TAKE1 processing removed.  Either way I'll take this one on unless
someone else already has a fix under wraps.

Regardless, I think this should be fixed for 1.3b4.  It's a potential
protocol error, and the fix (whatever it is) will break some
configurations that now erroneously (but understandably) quote
the realm name.  I'd rather introduce a correction during a beta,
and the earlier the better.

#ken	P-)}

View raw message