Backport of AuthDigestEnableQueryStringHack

Needs a doc update to explain what it does.

PR: 27785
Reviewed by: Andr� Malo, Geoffrey Young, Paul Querna

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@104218 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 6b9118b50be98f3b813ffd292de9ab9f52114417..a63ab2e9367064a92bee465f71f15c187e734398 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,12 @@
 Changes with Apache 2.0.51
 
-  *) Allow URLs for ServerAdmin. PR 28174. 
-     [Paul Querna]
+  *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
+     is set in r->subprocess_env allow mismatched query strings to pass.
+     PR 27758.  [Paul Querna, Geoffrey Young]
+
+  *) Accept URLs for the ServerAdmin directive. If the supplied
+     argument is not recognized as an URL, assume it's a mail address.
+     PR 28174.  [André Malo, Paul Querna]
 
   *) initialize server arrays prior to calling ap_setup_prelinked_modules
      so that static modules can push Defines values when registering

diff --git a/STATUS b/STATUS
index 9985fe33a826f42928b4f57e948dc0753318c126..0741334757a5c4094aaf00b560748df3fd78f210 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -1,5 +1,5 @@
 APACHE 2.0 STATUS:                                              -*-text-*-
-Last modified at [$Date: 2004/07/10 05:01:31 $]
+Last modified at [$Date: 2004/07/10 07:47:22 $]
 
 Release:
 
@@ -206,12 +206,6 @@ PATCHES TO BACKPORT FROM 2.1
            support/ab.c: r1.143
        +1: jjclar, nd
 
-    *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
-       is set in r->subprocess_env allow mismatched query strings to pass.
-       PR: 27758
-       http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/aaa/mod_auth_digest.c?r1=1.86&r2=1.87
-       +1: geoff, nd, pquerna
-
     *) mod_dav: Send an EOS at the end of the multistatus brigade.
        http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/dav/main/mod_dav.c?r1=1.105&r2=1.106
        +1: jorton

diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
index 2e09622b858aea08527de1f887f95409029ef118..134e2652917f66a98681e2e012f500c970c7a346 100644 (file)
--- a/modules/aaa/mod_auth_digest.c
+++ b/modules/aaa/mod_auth_digest.c
@@ -1607,6 +1607,27 @@ static int authenticate_digest_user(request_rec *r)
         if (d_uri.query) {
             ap_unescape_url(d_uri.query);
         }
+        else if (r_uri.query) {
+            /* MSIE compatibility hack.  MSIE has some RFC issues - doesn't 
+             * include the query string in the uri Authorization component
+             * or when computing the response component.  the second part
+             * works out ok, since we can hash the header and get the same
+             * result.  however, the uri from the request line won't match
+             * the uri Authorization component since the header lacks the 
+             * query string, leaving us incompatable with a (broken) MSIE.
+             * 
+             * the workaround is to fake a query string match if in the proper
+             * environment - BrowserMatch MSIE, for example.  the cool thing
+             * is that if MSIE ever fixes itself the simple match ought to 
+             * work and this code won't be reached anyway, even if the
+             * environment is set.
+             */
+            
+            if (apr_table_get(r->subprocess_env, 
+                              "AuthDigestEnableQueryStringHack")) {
+                d_uri.query = r_uri.query;
+            }
+        }
 
         if (r->method_number == M_CONNECT) {
             if (strcmp(resp->uri, r_uri.hostinfo)) {