From: Paul Querna Date: Sat, 10 Jul 2004 07:47:22 +0000 (+0000) Subject: Backport of AuthDigestEnableQueryStringHack X-Git-Tag: STRIKER_2_0_51_RC1^2~156 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b587076e9751468477806897a15b62a7d3fc1511;p=thirdparty%2Fapache%2Fhttpd.git Backport of AuthDigestEnableQueryStringHack Needs a doc update to explain what it does. PR: 27785 Reviewed by: Andr� Malo, Geoffrey Young, Paul Querna git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@104218 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 6b9118b50be..a63ab2e9367 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,12 @@ Changes with Apache 2.0.51 - *) Allow URLs for ServerAdmin. PR 28174. - [Paul Querna] + *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack + is set in r->subprocess_env allow mismatched query strings to pass. + PR 27758. [Paul Querna, Geoffrey Young] + + *) Accept URLs for the ServerAdmin directive. If the supplied + argument is not recognized as an URL, assume it's a mail address. + PR 28174. [André Malo, Paul Querna] *) initialize server arrays prior to calling ap_setup_prelinked_modules so that static modules can push Defines values when registering diff --git a/STATUS b/STATUS index 9985fe33a82..0741334757a 100644 --- a/STATUS +++ b/STATUS @@ -1,5 +1,5 @@ APACHE 2.0 STATUS: -*-text-*- -Last modified at [$Date: 2004/07/10 05:01:31 $] +Last modified at [$Date: 2004/07/10 07:47:22 $] Release: @@ -206,12 +206,6 @@ PATCHES TO BACKPORT FROM 2.1 support/ab.c: r1.143 +1: jjclar, nd - *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack - is set in r->subprocess_env allow mismatched query strings to pass. - PR: 27758 - http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/aaa/mod_auth_digest.c?r1=1.86&r2=1.87 - +1: geoff, nd, pquerna - *) mod_dav: Send an EOS at the end of the multistatus brigade. http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/dav/main/mod_dav.c?r1=1.105&r2=1.106 +1: jorton diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c index 2e09622b858..134e2652917 100644 --- a/modules/aaa/mod_auth_digest.c +++ b/modules/aaa/mod_auth_digest.c @@ -1607,6 +1607,27 @@ static int authenticate_digest_user(request_rec *r) if (d_uri.query) { ap_unescape_url(d_uri.query); } + else if (r_uri.query) { + /* MSIE compatibility hack. MSIE has some RFC issues - doesn't + * include the query string in the uri Authorization component + * or when computing the response component. the second part + * works out ok, since we can hash the header and get the same + * result. however, the uri from the request line won't match + * the uri Authorization component since the header lacks the + * query string, leaving us incompatable with a (broken) MSIE. + * + * the workaround is to fake a query string match if in the proper + * environment - BrowserMatch MSIE, for example. the cool thing + * is that if MSIE ever fixes itself the simple match ought to + * work and this code won't be reached anyway, even if the + * environment is set. + */ + + if (apr_table_get(r->subprocess_env, + "AuthDigestEnableQueryStringHack")) { + d_uri.query = r_uri.query; + } + } if (r->method_number == M_CONNECT) { if (strcmp(resp->uri, r_uri.hostinfo)) {