From: Nick Kew Date: Sat, 22 Sep 2007 00:30:23 +0000 (+0000) Subject: Backport r574021 X-Git-Tag: 2.2.7~383 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8281650735943894598edeb56f57205ab760c8f1;p=thirdparty%2Fapache%2Fhttpd.git Backport r574021 Propagate Proxy-Authorization header correctly PR 25947 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@578336 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 1d8ac6885f0..a9b8b0631f6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.7 + *) mod_proxy_http: Propagate Proxy-Authorization header correctly. + PR 25947 [Nick Kew] + *) mod_proxy_ajp: Differentiate within AJP between GET and HEAD requests. PR 43060 [Jim Jagielski] @@ -343,7 +346,7 @@ Changes with Apache 2.2.4 *) mod_cgi and mod_cgid: Don't use apr_status_t error return from input filters as HTTP return value from the handler. - PR 31579. [Nick Kew] + PR 31759. [Nick Kew] *) mod_cache: Eliminate a bogus error in the log when a filter returns AP_FILTER_ERROR. [Niklas Edmundsson ] diff --git a/STATUS b/STATUS index 5d50215cc95..dc84ac57138 100644 --- a/STATUS +++ b/STATUS @@ -79,13 +79,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_proxy_http: Propagate Proxy-Authorization header correctly. - PR 25947 - http://svn.apache.org/viewvc?view=rev&revision=574021 - +1: niq, jfclere. - rpluem says: +1 in general, but please remove the tabs from your - patch and in trunk. - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c index 534cbb5d43d..9617be8c3b0 100644 --- a/modules/proxy/mod_proxy_http.c +++ b/modules/proxy/mod_proxy_http.c @@ -755,19 +755,21 @@ apr_status_t ap_proxy_http_request(apr_pool_t *p, request_rec *r, || !strcasecmp(headers_in[counter].key, "Trailer") || !strcasecmp(headers_in[counter].key, "Upgrade") - /* XXX: @@@ FIXME: "Proxy-Authorization" should *only* be - * suppressed if THIS server requested the authentication, - * not when a frontend proxy requested it! - * - * The solution to this problem is probably to strip out - * the Proxy-Authorisation header in the authorisation - * code itself, not here. This saves us having to signal - * somehow whether this request was authenticated or not. - */ - || !strcasecmp(headers_in[counter].key,"Proxy-Authorization") - || !strcasecmp(headers_in[counter].key,"Proxy-Authenticate")) { + ) { continue; } + /* Do we want to strip Proxy-Authorization ? + * If we haven't used it, then NO + * If we have used it then MAYBE: RFC2616 says we MAY propagate it. + * So let's make it configurable by env. + */ + if (!strcasecmp(headers_in[counter].key,"Proxy-Authorization")) { + if (r->user != NULL) { /* we've authenticated */ + if (!apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) { + continue; + } + } + } /* Skip Transfer-Encoding and Content-Length for now. */