httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: svn commit: r1457471 - in /httpd/httpd/trunk: docs/log-message-tags/next-number docs/manual/expr.xml docs/manual/mod/mod_auth_basic.xml docs/manual/mod/mod_ssl.xml modules/aaa/mod_auth_basic.c
Date Sun, 17 Mar 2013 18:00:40 GMT
On 17 Mar 2013, at 6:54 PM, Eric Covener <covener@gmail.com> wrote:

> If we maintain the use of a password here, like mod_ssl does, wouldn't
> we need to make sure it doesn't come in over the wire?

We use apr_table_setn() which replaces anything that is there already, although if either
the username or the password resolve to an empty string it is possible for a user to inject
their own.

I think to be safe, we should unset the header in the two empty string cases. Done in r1457504.

Regards,
Graham
--


Mime
View raw message