httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodent of Unusual Size <Ken.C...@Golux.Com>
Subject Null username/password in auth rules
Date Mon, 24 Sep 2001 21:12:42 GMT
Someone has brought up the point that an AuthUserFile database
containing a line with only ':' on it will allow access if the
supplied username and password are blank and 'Require valid-user'
is the access control.

RFC 2617 permits such null credential elements; the questions
that have been raised for us are:

1. Should *we* allow it?
2. If we allow it, should it match 'valid-user', or only
   "Require user ""'?  (Not sure if the latter will work

My personal HO is 1) yes, we should allow it, and 2) yes,
it should be matched by 'valid-user' -- because, by virtue
of its being in the AuthUserFile database, it IS a valid
user by definition.

OtherBill differs, and I yield the [virtual] floor to him. :-D
#ken	P-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist      http://Apache-Server.Com/

"All right everyone!  Step away from the glowing hamburger!"

View raw message