From: Nick Kew Date: Sun, 9 Sep 2007 15:38:08 +0000 (+0000) Subject: Propagate Proxy-Authorization header correctly X-Git-Tag: 2.3.0~1440 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8be6dff87c0dfafa22930511922d33d20b0c11f2;p=thirdparty%2Fapache%2Fhttpd.git Propagate Proxy-Authorization header correctly PR 25947 RFC2616 tells us: (1) If we haven't authenticated, we must pass the header on. (2) If we have authenticated, we MAY pass it on. I've made the latter case configurable by ENV(Proxy-Chain-Auth). Also, Proxy-Authenticate is a response header, and doesn't belong in a check of request headers. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@574021 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 8f41c840e14..e401fb2539e 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.3.0 [ When backported to 2.2.x, remove entry from this file ] + *) mod_proxy_http: Propagate Proxy-Authorization header correctly. + PR 25947 [Nick Kew] + *) mod_proxy: escape error-notes correctly PR 40952 [Thijs Kinkhorst ] diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c index 1654cd76b14..5df59f1ce0f 100644 --- a/modules/proxy/mod_proxy_http.c +++ b/modules/proxy/mod_proxy_http.c @@ -748,19 +748,22 @@ apr_status_t ap_proxy_http_request(apr_pool_t *p, request_rec *r, || !strcasecmp(headers_in[counter].key, "Trailer") || !strcasecmp(headers_in[counter].key, "Upgrade") - /* XXX: @@@ FIXME: "Proxy-Authorization" should *only* be - * suppressed if THIS server requested the authentication, - * not when a frontend proxy requested it! - * - * The solution to this problem is probably to strip out - * the Proxy-Authorisation header in the authorisation - * code itself, not here. This saves us having to signal - * somehow whether this request was authenticated or not. - */ - || !strcasecmp(headers_in[counter].key,"Proxy-Authorization") - || !strcasecmp(headers_in[counter].key,"Proxy-Authenticate")) { + ) { continue; } + /* Do we want to strip Proxy-Authorization ? + * If we haven't used it, then NO + * If we have used it then MAYBE: RFC2616 says we MAY propagate it. + * So let's make it configurable by env. + */ + if (!strcasecmp(headers_in[counter].key,"Proxy-Authorization")) { + if (r->user != NULL) { /* we've authenticated */ + if (!apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) { + continue; + } + } + } + /* Skip Transfer-Encoding and Content-Length for now. */