httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: mod_ssl FakeBasicAuth, the colon problem (PR 52644)
Date Thu, 26 Jun 2014 07:22:20 GMT


Joe Orton wrote:
> I've had a user hit this: with FakeBasicAuth the client DN gets 
> translated into a Basic auth blob of base64("username:password"), which 
> then fails when the username part contains a ":" colon character.
> 
> At minimum mod_ssl could/should catch and fail auth under FakeBasicAuth 
> when DN is seen with a ":", that's easy enough.  We *could* also try 
> escaping the colon, but that introduces an inevitable ambiguity since 
> there is no escaping standard.
> 
> One approach would be to escape any colon in the DN by replacing with 
> some unusual character sequence ("@@@@" or whatever) and then only fail 
> for unescaped DNs which contain that sequence to avoid ambiguity 
> problems.
> 
> Any opinions before I hack something up?
> 
> Probably the "correct" way to approach this problem is using Graham's 
> nice hacks in the trunk to allow users to construct an appropriate 
> username:password blog based on expressions:
> 
>   http://svn.apache.org/viewvc?view=revision&revision=r1457471

+1 as this being the real fix at least where the expression parser is available.
Maybe just document the colon problem with FakeBasicAuth and point the user to AuthBasicFake
to do its own escaping of the colon with the expression parser (at best with an example).
But I just realize that a simple search and replace function is missing in the expression
parser.
So maybe hack that up an then go the way above?

Regards

RĂ¼diger


Mime
View raw message