httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Holsman <i...@apache.org>
Subject Re: Patch: PR#7063
Date Tue, 26 Mar 2002 01:39:13 GMT
Marc Slemko wrote:
> On Mon, 25 Mar 2002, Eli Marmor wrote:
> 
> 
>>And a yet another note:
>>
>>It is not a bug that "sometime" causes problems;
>>It is a bug that causes mod_auth_digest to fail ALWAYS (when there are
>>parameters, of course).
> 
> 
> That is defined as "sometimes".  And it is only IE with which it fails,
> no?
> 
> 
>>So it looks important for me to commit this patch.
>>Especially when there is no need to dig into the source, find the
>>problem, fix it, and test it, but everything is ready and you just have
>>to commit.
> 
> 
> Isn't this a matter of IE incorrectly implementing the spec?  
> 
> Will making this change break browsers that do properly implement it?
> 
should we implement this kind of thing by way of a 'browsermatch ...'
so that we could live in the best of both worlds? or is this still a 
security issue for IE users?

> It is not obvious if or how we should attempt to cope with IE's 
> brokenness, so it is not something that can just be blindly
> applied.  Blindly ignoring the query string on a request can have
> security implications as well that need to be understood.
> 




Mime
View raw message