httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Edward Rudd" <ed...@omegaware.com>
Subject Re: mod_auth_digest and MSIE
Date Fri, 19 Mar 2004 19:32:49 GMT
I do have to question the *idea* of hacking an RFC compliant module to
support non RFC behavior?  I know for Cyrus IMAP their stance is not to
break with the RFC, but to have the consumers complain to the MUA 
creator to fix their bug.  Though this issue has been brought up to MS
over a year ago, and they still refuse to fix it.

Another question would be, IF the hack does make it's way in, I suggest
that it should be wrapped around a big IF, so that a configuration 
directive must be enable to enable the hack. (similar to the
mod_auth_ldap MSFrontPage hack)


On Fri, 19 Mar 2004 13:30:08 -0500, Geoffrey
Young wrote:

> hi all...
> 
>   the MSIE + query string and mod_auth_digest came up again yesterday in
> bugzilla:
> 
>     http://issues.apache.org/bugzilla/show_bug.cgi?id=27758
> 
> the issue was discussed here a while ago, most notably in
> 
>   http://marc.theaimsgroup.com/?t=105510868000001&r=1&w=2
> 
> with most people thinking it was a decent enough idea but with little in
> terms of a resoltion.
> 
> anyway, I (along with a few others in the two threads) are kind of in
> favor of giving admins _some_ way to support MSIE + Digest.  I like
> Paul's original patch but kind of felt that playing with the comparison
> algorithm was, well, messier than messing with the individual
> components.  messy in either case but at least this way if the
> comparison ever needs to change there are less parentheses to worry
> about ;)
> 
> so new patch against HEAD is attached.  comments, new or changed
> opinions, implementation preferences, etc welcome.  if the consensus is
> that the idea is decent I'll keep reworking patches until everyone is
> satisfied with the details.
> 
> --GeoffIndex: modules/aaa/mod_auth_digest.c
> =================================================================== RCS
> file: /home/cvspublic/httpd-2.0/modules/aaa/mod_auth_digest.c,v
> retrieving revision 1.86
> diff -u -r1.86 mod_auth_digest.c
> --- modules/aaa/mod_auth_digest.c	21 Feb 2004 00:53:18 -0000	1.86 +++
> modules/aaa/mod_auth_digest.c	19 Mar 2004 18:20:48 -0000 @@ -1671,8
> +1671,34 @@
>          if (d_uri.path) {
>              ap_unescape_url(d_uri.path);
>          }
> +
>          if (d_uri.query) {
>              ap_unescape_url(d_uri.query);
> +        }
> +        else if (r_uri.query) {
> +            /* MSIE compatibility hack.  MSIE has some RFC issues -
> doesn't +             * include the query string in the uri
> Authorization component +             * or when computing the response
> component.  the second part +             * works out ok, since we can
> hash the header and get the same +             * result.  however, the
> uri from the request line won't match +             * the uri
> Authorization component since the header lacks the +             * query
> string, leaving us incompatable with a (broken) MSIE. +             * + 
>            * the workaround is to fake a query string match if in the
> proper +             * environment - BrowserMatch MSIE, for example. 
> the cool thing +             * is that if MSIE ever fixes itself the
> simple match ought to +             * work and this code won't be
> reached anyway, even if the +             * environment is set. +       
>      */
> +
> +            if (apr_table_get(r->subprocess_env, +
>       "AuthDigestEnableQueryStringHack")) { +
> +                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Digest: "
> +
>                              "applying
>                              AuthDigestEnableQueryStringHack");
> +
> +               d_uri.query = r_uri.query; +            }
>          }
>          }
>          if (r->method_number == M_CONNECT) {


Mime
View raw message