www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Segey Pozdnyakov <ser...@mail.ru>
Subject mod_auth-any/7797: Incorrect URI comparison algorithm in mod_auth_digest
Date Fri, 01 Jun 2001 08:00:18 GMT

>Number:         7797
>Category:       mod_auth-any
>Synopsis:       Incorrect URI comparison algorithm in mod_auth_digest
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Jun 01 01:10:01 PDT 2001
>Originator:     sereja@mail.ru
>Release:        1.3.20
Windows NT Server 4.0 Service Pack 5
Using binary distributive Of Apache (no compiler used)
ActivePerl 5.6.0 (build 620) used for executing CGI scripts
When I tried to use digest authentification (with module mod_auth_digest)
on simple CGI script test.pl (which works good without digest authentification;
 see code below), I get the following error message:

Digest: uri mismatch - </cgi-bin/test.pl> does not match request-uri </cgi-bin/test.pl?query=view>

I think that the problem is in incorrect URI comparison algorithm in
mod_auth_digest.c. Maybe I'm wrong, but in my opinion such requests should work
fine, where is no access violation (the script is always the same, only
parameters are changing).

use strict;
use CGI ':standard';

$p::query ||= 'start';

print header, start_html;

eval "&$p::query()";

sub start{
    print "<a href=test.pl?query=view>Test</a>";

sub view{
    print "OK";

 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]

View raw message