You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/01/29 00:54:26 UTC

DO NOT REPLY [Bug 16520] New: - cache MUST NOT cache responses to Authorization requests

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16520>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16520

 cache MUST NOT cache responses to Authorization requests

           Summary:  cache MUST NOT cache responses to Authorization
                    requests
           Product: Apache httpd-2.0
           Version: HEAD
          Platform: All
               URL: http://coad.measurement-factory.com/cgi-
                    bin/coad/GraseInfoCgi?session=bug&info_id=test_clause/rf
                    c2616/authorizn-cachedNot
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Other
         Component: mod_cache
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: coad@measurement-factory.com


Looks like a possible RFC 2616 MUST violation.
Mod_cache caches responses to requests containing
unusual Authorization header. The bug seems to be in
the HTTP header parser (or internal header
representation) because it is triggered by
adding white space after the header name (which is
legal per RFC 2616 "implied *LWS" rule).

Higher-than-default severity was chosen because
this bug may affect user privacy and might lead
to unauthorized access to protected resources
if some UAs send compliant (but not common)
Authorization headers. It is also likely that the
same [parsing/representation] bug may affect
handling of other headers (Connection?), but there
are no test cases to prove that speculation
at this time.

See attached trace(s) for details and ways to reproduce
the violation mentioned above.

Test case IDs in the trace link to human-oriented test case
description and RFC quotes, if available.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org