You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Dean Gaudet <dg...@arctic.org> on 1998/01/15 03:29:54 UTC

[PATCH] general/1666: Apache uses a case sensitive match for "Basic" auth scheme (fwd)

+1 for 1.3 and 1.2. 

Dean

---------- Forwarded message ----------
Date: 14 Jan 1998 04:54:34 -0000
From: Ronald Tschalaer <Ro...@psi.ch>
To: apbugs@hyperreal.org
X-Send-Pr-Version:3.2
Subject: general/1666: Apache uses a case sensitive match for "Basic" auth scheme


>Number:         1666
>Category:       general
>Synopsis:       Apache uses a case sensitive match for "Basic" auth scheme
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Jan 13 21:00:00 PST 1998
>Last-Modified:
>Originator:     Ronald.Tschalaer@psi.ch
>Organization:
apache
>Release:        1.3b3 and all previous
>Environment:
All
>Description:
When using basic authentication Apache requires the scheme token in the
Authorization header to be exactly "Basic". If you send for example

  Authorization: basic ...

the authorization will fail and message "client used wrong authentication
scheme" will be logged.

Note this problem is already fixed for digest in PR# 1599.
>How-To-Repeat:
The easiest is to try and access a protected document using telnet and give
an auth header as described above.
>Fix:
All comparisons are already case insensitive except for one. Here is the
patch for the last one:

*** http_protocol.c     Mon Jan 12 15:41:21 1998
--- http_protocol.c.orig        Sat Nov  1 23:24:08 1997
***************
*** 943,949 ****
          return AUTH_REQUIRED;
      }
  
!     if (strcasecmp(getword(r->pool, &auth_line, ' '), "Basic")) {
          /* Client tried to authenticate using wrong auth scheme */
          aplog_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
                      "client used wrong authentication scheme: %s", r->uri);
--- 943,949 ----
          return AUTH_REQUIRED;
      }
  
!     if (strcmp(getword(r->pool, &auth_line, ' '), "Basic")) {
          /* Client tried to authenticate using wrong auth scheme */
          aplog_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
                      "client used wrong authentication scheme: %s", r->uri);
%0
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]

Re: [PATCH] general/1666: Apache uses a case sensitive match for "Basic" auth scheme (fwd)

Posted by Martin Kraemer <Ma...@mch.sni.de>.

On Wed, Jan 14, 1998 at 06:29:54PM -0800, Dean Gaudet wrote:
> +1 for 1.3 and 1.2. 

me too.     ;-)

    Martin
-- 
| S I E M E N S |  <Ma...@mch.sni.de>  |      Siemens Nixdorf
| ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
| N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request

Re: [PATCH] general/1666: Apache uses a case sensitive match for "Basic" auth scheme (fwd)

Posted by Rodent of Unusual Size <Ke...@Golux.Com>.

+1

#ken	P-)}