Bug 27758 - digest authentication fails to handle a URL of the form http://domain.world/page.type?querystring
Summary: digest authentication fails to handle a URL of the form http://domain.world/p...
Status: CLOSED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_auth_digest (show other bugs)
Version: 2.0.48
Hardware: PC All
: P3 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2004-03-17 19:57 UTC by reintsh.www01
Modified: 2005-03-20 17:06 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description reintsh.www01 2004-03-17 19:57:03 UTC
When using digest authentication, a URL request including a query_string is not 
handled properly. Apache returns:

Bad Request
Your browser sent a request that this server could not understand.

The error log contains a message like:
Digest: uri mismatch - </mysite/test.htm> does not match request-uri 
</mysite/test.htm?something>

When disabling digest authentication it works as expected.

Regards,
Henk.
Comment 1 Joshua Slive 2004-03-17 20:37:36 UTC
This is a known bug in MSIE.  See, for example, 
http://www.apacheweek.com/issues/02-12-20#dev

It is even documented in apache:
http://httpd.apache.org/docs-2.0/mod/mod_auth_digest.html#using

There is a patch to hack-around the MSIE bug:
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=105510860505665&w=2

But there was never a developer concensus on whether patching around
MSIE's problems was a good idea.

I'll leave this bug open to see if anyone's opinion has changed.
I personally think the work-around is a good idea.
Comment 2 Geoffrey Young 2004-03-18 18:19:07 UTC
I think it would be a good idea to provide msie support here if msie 6 is still
broken.

that said, I'm not too sure that I like the proposed patch.  it's fine, but I
feel in my gut that we shouldn't be messing with the digest algorithm proper -
there's nothing to protect against a mismatched query string in this case, even
though it's still important.  but I like the BrowserMatch approach 

I think the solution I'd rather see is constructing the compared uri from
uri+query if the hack is set, keeping the query as part of the comparison.

I'll work on an alternative patch and move the discussion to httpd-dev if there
is some consensus that my approach has merit.
Comment 3 Geoffrey Young 2004-03-23 14:03:56 UTC
solution applied to 2.1, pending review for backport to 2.0

http://marc.theaimsgroup.com/?l=apache-cvs&m=108005027128025&w=2
Comment 4 Paul Querna 2004-07-10 07:51:03 UTC
commited to 2.0.51-dev.