httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [PATCH] mod_auth_digest.c -- EnableQueryStringHack
Date Mon, 09 Jun 2003 14:17:47 GMT

On Sun, 8 Jun 2003, Cliff Woolley wrote:

> On Mon, 9 Jun 2003, [ISO-8859-1] André Malo wrote:
>
> > Just my opinion: I don't like it very much, since it decreases security and
> > violates the RFC very hard. The Client should be fixed, not the server.
> > ...but I won't stand in the way if there are positive votes on it.
>
> Well, part of the reason I said we should go back and look is that I
> seem to recall at least one person voicing exactly that same opinion the
> last time this came up -- and there might have been an actual veto.
> --Cliff

Does anyone know why MS hasn't fixed this?  This problem has been well
known for quite some time now.

Considering the fact that we don't want to discourage people from using
digest, even if the client implimentation is buggy, I might be tempted to
accept the patch, but name the env variable something sufficiently nasty,
like MSIE_DIGEST_SECURITY_HOLE.

Joshua.

Mime
View raw message