Bug 62025

Summary: mod_headers doesn't edit WWW-Authentication from mod_auth_basic
Product: Apache httpd-2 Reporter: Roland Reichwein <rr>
Component: mod_headersAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal CC: paolo.dipatria
Priority: P2 Keywords: FixedInTrunk
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Fix for editing headers from mod_auth_basic in mod_headers

Description Roland Reichwein 2018-01-20 08:11:55 UTC
Created attachment 35690 [details]
Fix for editing headers from mod_auth_basic in mod_headers


When using a directive like

    "Header always edit WWW-Authenticate ^Basic SR_Basic"

in the apache configuration to fine tune mod_auth_basic functionality, mod_headers doesn't change this header as expected.

I traced that apache adds the "WWW-Authenticate" header in mod_auth_basic.c (to r->err_headers_out) and afterwards handles the "Header" directive in mod_headers.c which unfortunately operates on a different copy of r->err_headers_out in mod_headers.c:ap_headers_error_filter().

When adding a second do_headers_fixup() to ap_headers_error_filter() as done in ap_headers_output_filter() to operate on r->headers_out also, the problem is gone.

Some context with a similar problem description at:


I'm attaching a patch that fixed it for me.


Comment 1 Luca Toscano 2018-10-21 17:46:55 UTC
Hi Roland,

thanks a lot for the report. I reproduced with the basic config outlined in the stack-overflow post and the latest 2.4.x version of the code.

gdb shows me:

Thread 6 "httpd" hit Breakpoint 1, ap_headers_error_filter (f=0x7fffc4007698, in=0x7fffc4007830) at mod_headers.c:906
906         do_headers_fixup(f->r, f->r->err_headers_out, dirconf->fixup_err, 0);
(gdb) dump_table f->r->err_headers_out
(gdb) dump_table f->r->headers_out
[0] 'WWW-Authenticate'='Basic realm="abcdef"' [0x7fffc4007658]

Header always should only add/modify/etc.. the err_headers_out list, not the headers_out one, so mod_headers seems to work as intended. The main issue that I am seeing is related to the WWW-Authenticate header, that should not be in headers_out..
Comment 2 Luca Toscano 2018-10-22 07:38:15 UTC
Also very interesting that with trunk I get the correct result:

# curl localhost/session/test -i
HTTP/1.1 401 Unauthorized
Date: Mon, 22 Oct 2018 07:35:07 GMT
Server: Apache/2.5.1-dev (Unix) OpenSSL/1.1.0f
HelloHello: Blupp
WWW-Authenticate: SR_Basic realm="abcdef"
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1

and gdb tells me that mod_headers get WWW-Authenticate in err_headers_out, as expected..
Comment 3 Luca Toscano 2018-10-22 08:25:36 UTC
I re-tested 2.4.x with http://svn.apache.org/r1832092 and it seems to work fine, can you test Roland if you still have patience/time?