You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/03/08 15:24:58 UTC

DO NOT REPLY [Bug 50891] New: Apache rewrites WWW-Authenticate headers from CGI programs

https://issues.apache.org/bugzilla/show_bug.cgi?id=50891

           Summary: Apache rewrites WWW-Authenticate headers from CGI
                    programs
           Product: Apache httpd-2
           Version: 2.2.16
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_cgi
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: alec-keyword-apache.d8a97a@setfilepointer.com


Created an attachment (id=26743)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=26743)
patch to preserve WWW-authenticate headers in CGI responses

When parsing CGI response headers, apache rewrites the WWW-Authenticate headers
in a standards-compliant way.  Unfortunately, popular browsers (Firefox 3.6.15
at least) do not correctly process the rewritten headers.  This breaks
completely breaks authentication when multiple WWW-Authenticate headers are
sent from a CGI script.

There is already code to preserve Set-Cookie headers in util_script.c. 
Replicating this code for WWW-Authenticate fixes the issue.

The attached patch implements this fix in the most trivial way.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org