You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/04/13 23:20:27 UTC
DO NOT REPLY [Bug 42120] New: - Apache authentication doesn't properly handle parameters in URL matching
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42120>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42120
Summary: Apache authentication doesn't properly handle parameters
in URL matching
Product: Apache httpd-2
Version: 2.2.4
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: mod_auth
AssignedTo: bugs@httpd.apache.org
ReportedBy: dopey@moonteeth.com
If a Location block is tagged as requiring auth.
For example
<Location /somewhere>
AuthName "REalm"
AuthType Basic
AuthBasicProvider ldapProvider
require valid-user
</Location>
A hit to http://server/somewhere or http://server/somewhere/ will be challenged
for authentication. However
http://server/somewhere;parameter=value will not be challenged.
I believe this is incorrect as per RFC 2396:
3.3. Path Component
The path component contains data, specific to the authority (or the
scheme if there is no authority component), identifying the resource
within the scope of that scheme and authority.
path = [ abs_path | opaque_part ]
path_segments = segment *( "/" segment )
segment = *pchar *( ";" param )
param = *pchar
pchar = unreserved | escaped |
":" | "@" | "&" | "=" | "+" | "$" | ","
The path may consist of a sequence of path segments separated by a
single slash "/" character. Within a path segment, the characters
"/", ";", "=", and "?" are reserved. Each path segment may include a
sequence of parameters, indicated by the semicolon ";" character.
The parameters are not significant to the parsing of relative
references.
The last sentence I believe is saying that the parameter is not significant in
terms of the actual referenced path segment.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42120] - Apache authentication doesn't properly handle parameters in URL matching
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42120>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42120
------- Additional Comments From nd@perlig.de 2007-04-14 04:07 -------
The nice thing about standards is that there are so many to choose from :-)
We would work against RFC 1738 if we'd do that and that way open a leak in order
to close another one (so to speak).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42120] - Apache authentication doesn't properly handle parameters in URL matching
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42120>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42120
------- Additional Comments From dopey@moonteeth.com 2007-04-13 23:23 -------
No, however, considering that the <Location> directive documentation notes that
it's a URL or URL-path, it implies that the URL RFC would be followed in order
to match a URL. If the URL RFC states that the path element parameter is not
significant to parsing the reference, then it seems that <Location> should
handle this properly.
I'm looking into using LocationMatch with a sane regex expression. However, it
just seems that this behavior is something a standard <Location> tag should be
able to handle.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42120] - Apache authentication doesn't properly handle parameters in URL matching
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42120>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42120
nd@perlig.de changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From nd@perlig.de 2007-04-13 14:27 -------
(In reply to comment #0)
> The parameters are not significant to the parsing of relative
> references.
>
> The last sentence I believe is saying that the parameter is not significant in
> terms of the actual referenced path segment.
I believe, it doesn't say something about particular server configuration
directives...
Why don't you just take LocationMatch if it bothers you? Changing the semantics
of Location would be hard thing to do here anyway for compat reasons.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org