httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Malo ...@perlig.de>
Subject Re: cvs commit: httpd-2.0/modules/aaa mod_auth_digest.c
Date Tue, 11 Feb 2003 02:50:03 GMT
* nd@apache.org wrote:

>   Do not use local paths for the domain parameter on non-unix systems.
> 
>   PR: 16937

The guessing code is somewhat weird anyway.

RFC 2617, 3.2.1 writes (about 'domain'):

| If this directive is omitted or its value is empty, the client should
| assume that the protection space consists of all URIs on the responding
| server.

And the ABNF says:
domain            = "domain" "=" <"> URI *( 1*SP URI ) <">
URI               = absoluteURI | abs_path

so,
a) domain _cannot_ be empty. We should omit it entirely if it has no value. 
   right? (I think, it's probably intended, that it can be empty, but who 
   knows the clients?)
b) We have to ensure, that (at least the guessed) domain is either an 
   absoluteURI or an abs_path. This is currently not the case.

   IMHO, we should (1) guess more strictly and throw a 500 with a hint in 
   the error_log to use AuthDigestDomain or (2) require AuthDigestDomain 
   always.
   I'd prefer the latter for 2.1.
   
Opinions?

nd
-- 
Da fällt mir ein, wieso gibt es eigentlich in Unicode kein
"i" mit einem Herzchen als Tüpfelchen? Das wär sooo süüss!
 
                                 -- Björn Höhrmann in darw

Mime
View raw message