httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodent of Unusual Size <Ken.C...@Golux.Com>
Subject Null username/password in auth rules
Date Mon, 24 Sep 2001 21:12:42 GMT
Someone has brought up the point that an AuthUserFile database
containing a line with only ':' on it will allow access if the
supplied username and password are blank and 'Require valid-user'
is the access control.

RFC 2617 permits such null credential elements; the questions
that have been raised for us are:

1. Should *we* allow it?
2. If we allow it, should it match 'valid-user', or only
   "Require user ""'?  (Not sure if the latter will work
   currently.)

My personal HO is 1) yes, we should allow it, and 2) yes,
it should be matched by 'valid-user' -- because, by virtue
of its being in the AuthUserFile database, it IS a valid
user by definition.

OtherBill differs, and I yield the [virtual] floor to him. :-D
-- 
#ken	P-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist      http://Apache-Server.Com/

"All right everyone!  Step away from the glowing hamburger!"

Mime
View raw message