|Summary:||mod_headers doesn't edit WWW-Authentication from mod_auth_basic|
|Product:||Apache httpd-2||Reporter:||Roland Reichwein <rr>|
|Component:||mod_headers||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
|Attachments:||Fix for editing headers from mod_auth_basic in mod_headers|
Description Roland Reichwein 2018-01-20 08:11:55 UTC
Created attachment 35690 [details] Fix for editing headers from mod_auth_basic in mod_headers Hi! When using a directive like "Header always edit WWW-Authenticate ^Basic SR_Basic" in the apache configuration to fine tune mod_auth_basic functionality, mod_headers doesn't change this header as expected. I traced that apache adds the "WWW-Authenticate" header in mod_auth_basic.c (to r->err_headers_out) and afterwards handles the "Header" directive in mod_headers.c which unfortunately operates on a different copy of r->err_headers_out in mod_headers.c:ap_headers_error_filter(). When adding a second do_headers_fixup() to ap_headers_error_filter() as done in ap_headers_output_filter() to operate on r->headers_out also, the problem is gone. Some context with a similar problem description at: https://stackoverflow.com/questions/46220113/remove-www-authenticate-header I'm attaching a patch that fixed it for me. Thanks! Roland
Comment 1 Luca Toscano 2018-10-21 17:46:55 UTC
Hi Roland, thanks a lot for the report. I reproduced with the basic config outlined in the stack-overflow post and the latest 2.4.x version of the code. gdb shows me: Thread 6 "httpd" hit Breakpoint 1, ap_headers_error_filter (f=0x7fffc4007698, in=0x7fffc4007830) at mod_headers.c:906 906 do_headers_fixup(f->r, f->r->err_headers_out, dirconf->fixup_err, 0); (gdb) dump_table f->r->err_headers_out (gdb) dump_table f->r->headers_out  'WWW-Authenticate'='Basic realm="abcdef"' [0x7fffc4007658] Header always should only add/modify/etc.. the err_headers_out list, not the headers_out one, so mod_headers seems to work as intended. The main issue that I am seeing is related to the WWW-Authenticate header, that should not be in headers_out..
Comment 2 Luca Toscano 2018-10-22 07:38:15 UTC
Also very interesting that with trunk I get the correct result: # curl localhost/session/test -i HTTP/1.1 401 Unauthorized Date: Mon, 22 Oct 2018 07:35:07 GMT Server: Apache/2.5.1-dev (Unix) OpenSSL/1.1.0f HelloHello: Blupp WWW-Authenticate: SR_Basic realm="abcdef" Content-Length: 381 Content-Type: text/html; charset=iso-8859-1 and gdb tells me that mod_headers get WWW-Authenticate in err_headers_out, as expected..