Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 91629 invoked by uid 500); 9 Jun 2003 14:17:59 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 91616 invoked from network); 9 Jun 2003 14:17:59 -0000 X-Epoch: 1055168279 X-Sasl-enc: mUPI8NExVI7q+KjN1LsPOA Date: Mon, 9 Jun 2003 10:17:47 -0400 (=?ISO-8859-1?Q?Est_=28heure_d'=E9t=E9=29?=) From: Joshua Slive To: dev@httpd.apache.org Subject: Re: [PATCH] mod_auth_digest.c -- EnableQueryStringHack In-Reply-To: Message-ID: References: X-X-Sender: slive@www.fastmail.fm MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8BIT X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N On Sun, 8 Jun 2003, Cliff Woolley wrote: > On Mon, 9 Jun 2003, [ISO-8859-1] Andr� Malo wrote: > > > Just my opinion: I don't like it very much, since it decreases security and > > violates the RFC very hard. The Client should be fixed, not the server. > > ...but I won't stand in the way if there are positive votes on it. > > Well, part of the reason I said we should go back and look is that I > seem to recall at least one person voicing exactly that same opinion the > last time this came up -- and there might have been an actual veto. > --Cliff Does anyone know why MS hasn't fixed this? This problem has been well known for quite some time now. Considering the fact that we don't want to discourage people from using digest, even if the client implimentation is buggy, I might be tempted to accept the patch, but name the env variable something sufficiently nasty, like MSIE_DIGEST_SECURITY_HOLE. Joshua.