You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Carol Ghijs <cg...@lms.be> on 1997/12/23 16:47:40 UTC
mod_proxy/1594: HTTP proxy refuses http://userid:passwd@some.internet.domain
>Number: 1594
>Category: mod_proxy
>Synopsis: HTTP proxy refuses http://userid:passwd@some.internet.domain
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Tue Dec 23 07:50:00 PST 1997
>Last-Modified:
>Originator: cg@lms.be
>Organization:
apache
>Release: 1.3b3
>Environment:
HP-UX version B.10.20
Apache version 1.3b3
Proxy module included
>Description:
If entering URL's as mentioned in synopsis, one gets
a Bad Request reply. FTP URL's do not cause problems
and work as expected.
>How-To-Repeat:
>Fix:
I compared modules/src/proxy_http.c with modules/src/proxy_ftp.c
and then tried the following changes which made this feature work. I
am unaware if these changes could introduce other problems as I am
very unfamiliar with the rest of the source code:
[herschel,cg,213] % diff src/modules/proxy/proxy_http.c src_modified/modules/proxy/proxy_http.c
61a62,81
> * checks an encoded http string for bad characters, namely, CR, LF, or
> * non-ascii character
> */
> static int http_check_string(const char *x)
> {
> int i, ch;
>
> for (i = 0; x[i] != '\0'; i++) {
> ch = x[i];
> if (ch == '%' && isxdigit(x[i + 1]) && isxdigit(x[i + 2])) {
> ch = proxy_hex2c(&x[i + 1]);
> i += 2;
> }
> if (ch == '\015' || ch == '\012' || (ch & 0x80))
> return 0;
> }
> return 1;
> }
>
> /*
69c89
< char *host, *path, *search, *p, sport[7];
---
> char *user, *password, *host, *path, *search, *p, sport[7];
77c97
< err = proxy_canon_netloc(r->pool, &url, NULL, NULL, &host, &port);
---
> err = proxy_canon_netloc(r->pool, &url, &user, &password, &host, &port);
79a100,103
> if (user != NULL && !http_check_string(user))
> return BAD_REQUEST;
> if (password != NULL && !http_check_string(password))
> return BAD_REQUEST;
[herschel,cg,214] %
%0
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]