From: Geoffrey Young Date: Tue, 23 Mar 2004 13:57:48 +0000 (+0000) Subject: work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack X-Git-Tag: pre_ajp_proxy~468 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7665ccd49770104301cc00a611dc41970a5d6834;p=apache work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack is set in r->subprocess_env allow mismatched query strings to pass. PR: 27758 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103096 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 4f3eac71ae..6c147bdffd 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.1.0-dev [Remove entries to the current 2.0 section below, when backported] + *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack + is set in r->subprocess_env allow mismatched query strings to pass. + PR 27758. [Paul Querna , Geoffrey Young] + *) logresolve: Allow size of log line buffer to be overridden at build time (MAXLINE). PR 27793. [Jeff Trawick] diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c index e21311395b..c804abd944 100644 --- a/modules/aaa/mod_auth_digest.c +++ b/modules/aaa/mod_auth_digest.c @@ -1671,9 +1671,36 @@ static int authenticate_digest_user(request_rec *r) if (d_uri.path) { ap_unescape_url(d_uri.path); } + if (d_uri.query) { ap_unescape_url(d_uri.query); } + else if (r_uri.query) { + /* MSIE compatibility hack. MSIE has some RFC issues - doesn't + * include the query string in the uri Authorization component + * or when computing the response component. the second part + * works out ok, since we can hash the header and get the same + * result. however, the uri from the request line won't match + * the uri Authorization component since the header lacks the + * query string, leaving us incompatable with a (broken) MSIE. + * + * the workaround is to fake a query string match if in the proper + * environment - BrowserMatch MSIE, for example. the cool thing + * is that if MSIE ever fixes itself the simple match ought to + * work and this code won't be reached anyway, even if the + * environment is set. + */ + + if (apr_table_get(r->subprocess_env, + "AuthDigestEnableQueryStringHack")) { + + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "Digest: " + "applying AuthDigestEnableQueryStringHack " + "to uri <%s>", resp->raw_request_uri); + + d_uri.query = r_uri.query; + } + } if (r->method_number == M_CONNECT) { if (strcmp(resp->uri, r_uri.hostinfo)) {