You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dean Gaudet <dg...@arctic.org> on 1998/01/15 03:29:54 UTC
[PATCH] general/1666: Apache uses a case sensitive match for "Basic" auth scheme (fwd)
+1 for 1.3 and 1.2.
Dean
---------- Forwarded message ----------
Date: 14 Jan 1998 04:54:34 -0000
From: Ronald Tschalaer <Ro...@psi.ch>
To: apbugs@hyperreal.org
X-Send-Pr-Version:3.2
Subject: general/1666: Apache uses a case sensitive match for "Basic" auth scheme
>Number: 1666
>Category: general
>Synopsis: Apache uses a case sensitive match for "Basic" auth scheme
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Tue Jan 13 21:00:00 PST 1998
>Last-Modified:
>Originator: Ronald.Tschalaer@psi.ch
>Organization:
apache
>Release: 1.3b3 and all previous
>Environment:
All
>Description:
When using basic authentication Apache requires the scheme token in the
Authorization header to be exactly "Basic". If you send for example
Authorization: basic ...
the authorization will fail and message "client used wrong authentication
scheme" will be logged.
Note this problem is already fixed for digest in PR# 1599.
>How-To-Repeat:
The easiest is to try and access a protected document using telnet and give
an auth header as described above.
>Fix:
All comparisons are already case insensitive except for one. Here is the
patch for the last one:
*** http_protocol.c Mon Jan 12 15:41:21 1998
--- http_protocol.c.orig Sat Nov 1 23:24:08 1997
***************
*** 943,949 ****
return AUTH_REQUIRED;
}
! if (strcasecmp(getword(r->pool, &auth_line, ' '), "Basic")) {
/* Client tried to authenticate using wrong auth scheme */
aplog_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
"client used wrong authentication scheme: %s", r->uri);
--- 943,949 ----
return AUTH_REQUIRED;
}
! if (strcmp(getword(r->pool, &auth_line, ' '), "Basic")) {
/* Client tried to authenticate using wrong auth scheme */
aplog_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
"client used wrong authentication scheme: %s", r->uri);
%0
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
Re: [PATCH] general/1666: Apache uses a case sensitive match for "Basic" auth scheme (fwd)
Posted by Martin Kraemer <Ma...@mch.sni.de>.
On Wed, Jan 14, 1998 at 06:29:54PM -0800, Dean Gaudet wrote:
> +1 for 1.3 and 1.2.
me too. ;-)
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: [PATCH] general/1666: Apache uses a case sensitive match for "Basic"
auth scheme (fwd)
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
+1
#ken P-)}