You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/03/08 15:24:58 UTC
DO NOT REPLY [Bug 50891] New: Apache rewrites WWW-Authenticate
headers from CGI programs
https://issues.apache.org/bugzilla/show_bug.cgi?id=50891
Summary: Apache rewrites WWW-Authenticate headers from CGI
programs
Product: Apache httpd-2
Version: 2.2.16
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_cgi
AssignedTo: bugs@httpd.apache.org
ReportedBy: alec-keyword-apache.d8a97a@setfilepointer.com
Created an attachment (id=26743)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=26743)
patch to preserve WWW-authenticate headers in CGI responses
When parsing CGI response headers, apache rewrites the WWW-Authenticate headers
in a standards-compliant way. Unfortunately, popular browsers (Firefox 3.6.15
at least) do not correctly process the rewritten headers. This breaks
completely breaks authentication when multiple WWW-Authenticate headers are
sent from a CGI script.
There is already code to preserve Set-Cookie headers in util_script.c.
Replicating this code for WWW-Authenticate fixes the issue.
The attached patch implements this fix in the most trivial way.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org