httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject [PATCH] general/1666: Apache uses a case sensitive match for "Basic" auth scheme (fwd)
Date Thu, 15 Jan 1998 02:29:54 GMT
+1 for 1.3 and 1.2. 

Dean

---------- Forwarded message ----------
Date: 14 Jan 1998 04:54:34 -0000
From: Ronald Tschalaer <Ronald.Tschalaer@psi.ch>
To: apbugs@hyperreal.org
X-Send-Pr-Version:3.2
Subject: general/1666: Apache uses a case sensitive match for "Basic" auth scheme


>Number:         1666
>Category:       general
>Synopsis:       Apache uses a case sensitive match for "Basic" auth scheme
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Jan 13 21:00:00 PST 1998
>Last-Modified:
>Originator:     Ronald.Tschalaer@psi.ch
>Organization:
apache
>Release:        1.3b3 and all previous
>Environment:
All
>Description:
When using basic authentication Apache requires the scheme token in the
Authorization header to be exactly "Basic". If you send for example

  Authorization: basic ...

the authorization will fail and message "client used wrong authentication
scheme" will be logged.

Note this problem is already fixed for digest in PR# 1599.
>How-To-Repeat:
The easiest is to try and access a protected document using telnet and give
an auth header as described above.
>Fix:
All comparisons are already case insensitive except for one. Here is the
patch for the last one:

*** http_protocol.c     Mon Jan 12 15:41:21 1998
--- http_protocol.c.orig        Sat Nov  1 23:24:08 1997
***************
*** 943,949 ****
          return AUTH_REQUIRED;
      }
  
!     if (strcasecmp(getword(r->pool, &auth_line, ' '), "Basic")) {
          /* Client tried to authenticate using wrong auth scheme */
          aplog_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
                      "client used wrong authentication scheme: %s", r->uri);
--- 943,949 ----
          return AUTH_REQUIRED;
      }
  
!     if (strcmp(getword(r->pool, &auth_line, ' '), "Basic")) {
          /* Client tried to authenticate using wrong auth scheme */
          aplog_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
                      "client used wrong authentication scheme: %s", r->uri);
%0
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]





Mime
View raw message