httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject mod_ssl FakeBasicAuth, the colon problem (PR 52644)
Date Thu, 19 Jun 2014 12:22:13 GMT
I've had a user hit this: with FakeBasicAuth the client DN gets 
translated into a Basic auth blob of base64("username:password"), which 
then fails when the username part contains a ":" colon character.

At minimum mod_ssl could/should catch and fail auth under FakeBasicAuth 
when DN is seen with a ":", that's easy enough.  We *could* also try 
escaping the colon, but that introduces an inevitable ambiguity since 
there is no escaping standard.

One approach would be to escape any colon in the DN by replacing with 
some unusual character sequence ("@@@@" or whatever) and then only fail 
for unescaped DNs which contain that sequence to avoid ambiguity 
problems.

Any opinions before I hack something up?

Probably the "correct" way to approach this problem is using Graham's 
nice hacks in the trunk to allow users to construct an appropriate 
username:password blog based on expressions:

  http://svn.apache.org/viewvc?view=revision&revision=r1457471

but even that does not actually protect against the "colon problem".

Regards, Joe

Mime
View raw message