httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Holsman <>
Subject Re: Patch: PR#7063
Date Tue, 26 Mar 2002 01:39:13 GMT
Marc Slemko wrote:
> On Mon, 25 Mar 2002, Eli Marmor wrote:
>>And a yet another note:
>>It is not a bug that "sometime" causes problems;
>>It is a bug that causes mod_auth_digest to fail ALWAYS (when there are
>>parameters, of course).
> That is defined as "sometimes".  And it is only IE with which it fails,
> no?
>>So it looks important for me to commit this patch.
>>Especially when there is no need to dig into the source, find the
>>problem, fix it, and test it, but everything is ready and you just have
>>to commit.
> Isn't this a matter of IE incorrectly implementing the spec?  
> Will making this change break browsers that do properly implement it?
should we implement this kind of thing by way of a 'browsermatch ...'
so that we could live in the best of both worlds? or is this still a 
security issue for IE users?

> It is not obvious if or how we should attempt to cope with IE's 
> brokenness, so it is not something that can just be blindly
> applied.  Blindly ignoring the query string on a request can have
> security implications as well that need to be understood.

View raw message