httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <jerenkra...@ebuilt.com>
Subject Re: Null username/password in auth rules
Date Mon, 24 Sep 2001 21:20:43 GMT
On Mon, Sep 24, 2001 at 05:12:42PM -0400, Rodent of Unusual Size wrote:
> Someone has brought up the point that an AuthUserFile database
> containing a line with only ':' on it will allow access if the
> supplied username and password are blank and 'Require valid-user'
> is the access control.
> 
> RFC 2617 permits such null credential elements; the questions
> that have been raised for us are:
> 
> 1. Should *we* allow it?
> 2. If we allow it, should it match 'valid-user', or only
>    "Require user ""'?  (Not sure if the latter will work
>    currently.)
> 
> My personal HO is 1) yes, we should allow it, and 2) yes,
> it should be matched by 'valid-user' -- because, by virtue
> of its being in the AuthUserFile database, it IS a valid
> user by definition.

+1.  (yes, and "" should match valid-user.)  -- justin


Mime
View raw message