httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject AuthLDAPCharsetConfig considered harmful
Date Tue, 10 Feb 2009 13:45:40 GMT
The AuthLDAPCharsetConfig directive allows server admins to do charset 
conversion of the username passed in the HTTP auth headers.

RFC 2617 does not specify use of encoding non-ASCII usernames in the 
{Proxy-},Authorization request headers; mod_authnz_ldap is guessing an 
encoding based on any Accept-Language header in the request.  Given that 
use of non-ASCII in HTTP authz is not specified by RFC, this is:

a) imposing a defacto standard, and 
b) setting an false expectation that use of non-ASCII usernames will 
actually work with HTTP, and
c) not going to work in practice, as I just had a user complain.

So it seems like a bad idea all round.  Am I missing anything?

Regards, Joe

Mime
View raw message