You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by pq...@apache.org on 2004/07/10 09:47:23 UTC
cvs commit: httpd-2.0/modules/aaa mod_auth_digest.c
pquerna 2004/07/10 00:47:23
Modified: . Tag: APACHE_2_0_BRANCH CHANGES STATUS
modules/aaa Tag: APACHE_2_0_BRANCH mod_auth_digest.c
Log:
Backport of AuthDigestEnableQueryStringHack
Needs a doc update to explain what it does.
PR: 27785
Reviewed by: Andr� Malo, Geoffrey Young, Paul Querna
Revision Changes Path
No revision
No revision
1.988.2.313 +7 -2 httpd-2.0/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/httpd-2.0/CHANGES,v
retrieving revision 1.988.2.312
retrieving revision 1.988.2.313
diff -u -r1.988.2.312 -r1.988.2.313
--- CHANGES 10 Jul 2004 04:45:21 -0000 1.988.2.312
+++ CHANGES 10 Jul 2004 07:47:21 -0000 1.988.2.313
@@ -1,7 +1,12 @@
Changes with Apache 2.0.51
- *) Allow URLs for ServerAdmin. PR 28174.
- [Paul Querna]
+ *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
+ is set in r->subprocess_env allow mismatched query strings to pass.
+ PR 27758. [Paul Querna, Geoffrey Young]
+
+ *) Accept URLs for the ServerAdmin directive. If the supplied
+ argument is not recognized as an URL, assume it's a mail address.
+ PR 28174. [Andr� Malo, Paul Querna]
*) initialize server arrays prior to calling ap_setup_prelinked_modules
so that static modules can push Defines values when registering
1.751.2.952 +1 -7 httpd-2.0/STATUS
Index: STATUS
===================================================================
RCS file: /home/cvs/httpd-2.0/STATUS,v
retrieving revision 1.751.2.951
retrieving revision 1.751.2.952
diff -u -r1.751.2.951 -r1.751.2.952
--- STATUS 10 Jul 2004 05:01:31 -0000 1.751.2.951
+++ STATUS 10 Jul 2004 07:47:22 -0000 1.751.2.952
@@ -206,12 +206,6 @@
support/ab.c: r1.143
+1: jjclar, nd
- *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
- is set in r->subprocess_env allow mismatched query strings to pass.
- PR: 27758
- http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/aaa/mod_auth_digest.c?r1=1.86&r2=1.87
- +1: geoff, nd, pquerna
-
*) mod_dav: Send an EOS at the end of the multistatus brigade.
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/dav/main/mod_dav.c?r1=1.105&r2=1.106
+1: jorton
No revision
No revision
1.72.2.8 +21 -0 httpd-2.0/modules/aaa/mod_auth_digest.c
Index: mod_auth_digest.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/aaa/mod_auth_digest.c,v
retrieving revision 1.72.2.7
retrieving revision 1.72.2.8
diff -u -r1.72.2.7 -r1.72.2.8
--- mod_auth_digest.c 24 Feb 2004 09:17:00 -0000 1.72.2.7
+++ mod_auth_digest.c 10 Jul 2004 07:47:22 -0000 1.72.2.8
@@ -1607,6 +1607,27 @@
if (d_uri.query) {
ap_unescape_url(d_uri.query);
}
+ else if (r_uri.query) {
+ /* MSIE compatibility hack. MSIE has some RFC issues - doesn't
+ * include the query string in the uri Authorization component
+ * or when computing the response component. the second part
+ * works out ok, since we can hash the header and get the same
+ * result. however, the uri from the request line won't match
+ * the uri Authorization component since the header lacks the
+ * query string, leaving us incompatable with a (broken) MSIE.
+ *
+ * the workaround is to fake a query string match if in the proper
+ * environment - BrowserMatch MSIE, for example. the cool thing
+ * is that if MSIE ever fixes itself the simple match ought to
+ * work and this code won't be reached anyway, even if the
+ * environment is set.
+ */
+
+ if (apr_table_get(r->subprocess_env,
+ "AuthDigestEnableQueryStringHack")) {
+ d_uri.query = r_uri.query;
+ }
+ }
if (r->method_number == M_CONNECT) {
if (strcmp(resp->uri, r_uri.hostinfo)) {
Re: cvs commit: httpd-2.0/modules/aaa mod_auth_digest.c
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
+1 !
Dw.
On Tue, 3 Aug 2004, Paul Querna wrote:
> On Tue, 2004-08-03 at 15:22 -0400, Geoffrey Young wrote:
> > hmm, I guess this fell off the collective radar.
> >
> > any comments? otherwise, I guess it's good enough and I'll just commit it
> > to both 2.0 and 2.1.
>
> Looks good to me.
>
> -Paul Querna
>
>
> > Geoffrey Young wrote:
> > >
> > > pquerna@apache.org wrote:
> > >
> > >>pquerna 2004/07/10 00:47:23
> > >>
> > >> Modified: . Tag: APACHE_2_0_BRANCH CHANGES STATUS
> > >> modules/aaa Tag: APACHE_2_0_BRANCH mod_auth_digest.c
> > >> Log:
> > >> Backport of AuthDigestEnableQueryStringHack
> > >> Needs a doc update to explain what it does.
> > >
> > >
> > > something like the attached? corrections, tweaks, or other feedback welcome.
> > >
> > > --Geoff
> > >
> > >
> > >
> > > ------------------------------------------------------------------------
> > >
> > > Index: mod_auth_digest.xml
> > > ===================================================================
> > > RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_auth_digest.xml,v
> > > retrieving revision 1.5.2.8
> > > diff -u -r1.5.2.8 mod_auth_digest.xml
> > > --- mod_auth_digest.xml 17 Apr 2004 18:43:37 -0000 1.5.2.8
> > > +++ mod_auth_digest.xml 12 Jul 2004 14:16:11 -0000
> > > @@ -72,7 +72,9 @@
> > > browsers. As of November 2002, the major browsers that support digest
> > > authentication are <a href="http://www.opera.com/">Opera</a>, <a
> > > href="http://www.microsoft.com/windows/ie/">MS Internet
> > > - Explorer</a> (fails when used with a query string), <a
> > > + Explorer</a> (fails when used with a query string - see the
> > > + <directive module="mod_auth_digest">AuthDigestEnableQueryStringHack
> > > + </directive> option below for a workaround), <a
> > > href="http://www.w3.org/Amaya/">Amaya</a>, <a
> > > href="http://www.mozilla.org">Mozilla</a> and <a
> > > href="http://channels.netscape.com/ns/browsers/download.jsp"
> > > @@ -81,6 +83,36 @@
> > > in controlled environments.</p>
> > > </note>
> > > </section>
> > > +
> > > +<section id="msie"><title>Working with MS Internet Explorer</title>
> > > + <p>The Digest authentication implementation in current Internet
> > > + Explorer implementations has known issues, namely that <code><GET</code>
> > > + requests with a query string are not RFC compliant. There are a
> > > + few ways to work around this issue.</p>
> > > +
> > > + <p>
> > > + The first way is to use <code>POST</code> requests instead of
> > > + <code>GET</code> requests to pass data to your program. This method
> > > + is the simplest approach if your application can work with this
> > > + limitation.
> > > + </p>
> > > +
> > > + <p>Apache also provides a workaround in the
> > > + <code>AuthDigestEnableQueryStringHack</code> environment variable.
> > > + If <code>AuthDigestEnableQueryStringHack</code> is true for the
> > > + request, Apache will take steps to work around the MSIE bug and
> > > + remove the request URI from the digest comparison. Using this
> > > + method would look like similar to the following.</p>
> > > +
> > > + <example><title>Using Digest Authentication with MSIE:</title>
> > > + BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
> > > + </example>
> > > +
> > > + <p>See the <directive module="mod_setenvif">BrowserMatch</directive>
> > > + directive for more details on conditionally setting environment
> > > + variables</p>
> > > +</section>
> > > +
> > >
> > > <directivesynopsis>
> > > <name>AuthDigestFile</name>
>
Re: cvs commit: httpd-2.0/modules/aaa mod_auth_digest.c
Posted by Paul Querna <ch...@force-elite.com>.
On Tue, 2004-08-03 at 15:22 -0400, Geoffrey Young wrote:
> hmm, I guess this fell off the collective radar.
>
> any comments? otherwise, I guess it's good enough and I'll just commit it
> to both 2.0 and 2.1.
Looks good to me.
-Paul Querna
> Geoffrey Young wrote:
> >
> > pquerna@apache.org wrote:
> >
> >>pquerna 2004/07/10 00:47:23
> >>
> >> Modified: . Tag: APACHE_2_0_BRANCH CHANGES STATUS
> >> modules/aaa Tag: APACHE_2_0_BRANCH mod_auth_digest.c
> >> Log:
> >> Backport of AuthDigestEnableQueryStringHack
> >> Needs a doc update to explain what it does.
> >
> >
> > something like the attached? corrections, tweaks, or other feedback welcome.
> >
> > --Geoff
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > Index: mod_auth_digest.xml
> > ===================================================================
> > RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_auth_digest.xml,v
> > retrieving revision 1.5.2.8
> > diff -u -r1.5.2.8 mod_auth_digest.xml
> > --- mod_auth_digest.xml 17 Apr 2004 18:43:37 -0000 1.5.2.8
> > +++ mod_auth_digest.xml 12 Jul 2004 14:16:11 -0000
> > @@ -72,7 +72,9 @@
> > browsers. As of November 2002, the major browsers that support digest
> > authentication are <a href="http://www.opera.com/">Opera</a>, <a
> > href="http://www.microsoft.com/windows/ie/">MS Internet
> > - Explorer</a> (fails when used with a query string), <a
> > + Explorer</a> (fails when used with a query string - see the
> > + <directive module="mod_auth_digest">AuthDigestEnableQueryStringHack
> > + </directive> option below for a workaround), <a
> > href="http://www.w3.org/Amaya/">Amaya</a>, <a
> > href="http://www.mozilla.org">Mozilla</a> and <a
> > href="http://channels.netscape.com/ns/browsers/download.jsp"
> > @@ -81,6 +83,36 @@
> > in controlled environments.</p>
> > </note>
> > </section>
> > +
> > +<section id="msie"><title>Working with MS Internet Explorer</title>
> > + <p>The Digest authentication implementation in current Internet
> > + Explorer implementations has known issues, namely that <code><GET</code>
> > + requests with a query string are not RFC compliant. There are a
> > + few ways to work around this issue.</p>
> > +
> > + <p>
> > + The first way is to use <code>POST</code> requests instead of
> > + <code>GET</code> requests to pass data to your program. This method
> > + is the simplest approach if your application can work with this
> > + limitation.
> > + </p>
> > +
> > + <p>Apache also provides a workaround in the
> > + <code>AuthDigestEnableQueryStringHack</code> environment variable.
> > + If <code>AuthDigestEnableQueryStringHack</code> is true for the
> > + request, Apache will take steps to work around the MSIE bug and
> > + remove the request URI from the digest comparison. Using this
> > + method would look like similar to the following.</p>
> > +
> > + <example><title>Using Digest Authentication with MSIE:</title>
> > + BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
> > + </example>
> > +
> > + <p>See the <directive module="mod_setenvif">BrowserMatch</directive>
> > + directive for more details on conditionally setting environment
> > + variables</p>
> > +</section>
> > +
> >
> > <directivesynopsis>
> > <name>AuthDigestFile</name>
Re: cvs commit: httpd-2.0/modules/aaa mod_auth_digest.c
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
hmm, I guess this fell off the collective radar.
any comments? otherwise, I guess it's good enough and I'll just commit it
to both 2.0 and 2.1.
--Geoff
Geoffrey Young wrote:
>
> pquerna@apache.org wrote:
>
>>pquerna 2004/07/10 00:47:23
>>
>> Modified: . Tag: APACHE_2_0_BRANCH CHANGES STATUS
>> modules/aaa Tag: APACHE_2_0_BRANCH mod_auth_digest.c
>> Log:
>> Backport of AuthDigestEnableQueryStringHack
>> Needs a doc update to explain what it does.
>
>
> something like the attached? corrections, tweaks, or other feedback welcome.
>
> --Geoff
>
>
>
> ------------------------------------------------------------------------
>
> Index: mod_auth_digest.xml
> ===================================================================
> RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_auth_digest.xml,v
> retrieving revision 1.5.2.8
> diff -u -r1.5.2.8 mod_auth_digest.xml
> --- mod_auth_digest.xml 17 Apr 2004 18:43:37 -0000 1.5.2.8
> +++ mod_auth_digest.xml 12 Jul 2004 14:16:11 -0000
> @@ -72,7 +72,9 @@
> browsers. As of November 2002, the major browsers that support digest
> authentication are <a href="http://www.opera.com/">Opera</a>, <a
> href="http://www.microsoft.com/windows/ie/">MS Internet
> - Explorer</a> (fails when used with a query string), <a
> + Explorer</a> (fails when used with a query string - see the
> + <directive module="mod_auth_digest">AuthDigestEnableQueryStringHack
> + </directive> option below for a workaround), <a
> href="http://www.w3.org/Amaya/">Amaya</a>, <a
> href="http://www.mozilla.org">Mozilla</a> and <a
> href="http://channels.netscape.com/ns/browsers/download.jsp"
> @@ -81,6 +83,36 @@
> in controlled environments.</p>
> </note>
> </section>
> +
> +<section id="msie"><title>Working with MS Internet Explorer</title>
> + <p>The Digest authentication implementation in current Internet
> + Explorer implementations has known issues, namely that <code><GET</code>
> + requests with a query string are not RFC compliant. There are a
> + few ways to work around this issue.</p>
> +
> + <p>
> + The first way is to use <code>POST</code> requests instead of
> + <code>GET</code> requests to pass data to your program. This method
> + is the simplest approach if your application can work with this
> + limitation.
> + </p>
> +
> + <p>Apache also provides a workaround in the
> + <code>AuthDigestEnableQueryStringHack</code> environment variable.
> + If <code>AuthDigestEnableQueryStringHack</code> is true for the
> + request, Apache will take steps to work around the MSIE bug and
> + remove the request URI from the digest comparison. Using this
> + method would look like similar to the following.</p>
> +
> + <example><title>Using Digest Authentication with MSIE:</title>
> + BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
> + </example>
> +
> + <p>See the <directive module="mod_setenvif">BrowserMatch</directive>
> + directive for more details on conditionally setting environment
> + variables</p>
> +</section>
> +
>
> <directivesynopsis>
> <name>AuthDigestFile</name>
Re: cvs commit: httpd-2.0/modules/aaa mod_auth_digest.c
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
pquerna@apache.org wrote:
> pquerna 2004/07/10 00:47:23
>
> Modified: . Tag: APACHE_2_0_BRANCH CHANGES STATUS
> modules/aaa Tag: APACHE_2_0_BRANCH mod_auth_digest.c
> Log:
> Backport of AuthDigestEnableQueryStringHack
> Needs a doc update to explain what it does.
something like the attached? corrections, tweaks, or other feedback welcome.
--Geoff