Bug 62025 - mod_headers doesn't edit WWW-Authentication from mod_auth_basic
Summary: mod_headers doesn't edit WWW-Authentication from mod_auth_basic
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_headers (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2018-01-20 08:11 UTC by Roland Reichwein
Modified: 2018-10-22 08:28 UTC (History)
1 user (show)



Attachments
Fix for editing headers from mod_auth_basic in mod_headers (474 bytes, patch)
2018-01-20 08:11 UTC, Roland Reichwein
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Roland Reichwein 2018-01-20 08:11:55 UTC
Created attachment 35690 [details]
Fix for editing headers from mod_auth_basic in mod_headers

Hi!

When using a directive like

    "Header always edit WWW-Authenticate ^Basic SR_Basic"

in the apache configuration to fine tune mod_auth_basic functionality, mod_headers doesn't change this header as expected.

I traced that apache adds the "WWW-Authenticate" header in mod_auth_basic.c (to r->err_headers_out) and afterwards handles the "Header" directive in mod_headers.c which unfortunately operates on a different copy of r->err_headers_out in mod_headers.c:ap_headers_error_filter().

When adding a second do_headers_fixup() to ap_headers_error_filter() as done in ap_headers_output_filter() to operate on r->headers_out also, the problem is gone.

Some context with a similar problem description at:

https://stackoverflow.com/questions/46220113/remove-www-authenticate-header

I'm attaching a patch that fixed it for me.

Thanks!

Roland
Comment 1 Luca Toscano 2018-10-21 17:46:55 UTC
Hi Roland,

thanks a lot for the report. I reproduced with the basic config outlined in the stack-overflow post and the latest 2.4.x version of the code.

gdb shows me:

Thread 6 "httpd" hit Breakpoint 1, ap_headers_error_filter (f=0x7fffc4007698, in=0x7fffc4007830) at mod_headers.c:906
906         do_headers_fixup(f->r, f->r->err_headers_out, dirconf->fixup_err, 0);
(gdb) dump_table f->r->err_headers_out
(gdb) dump_table f->r->headers_out
[0] 'WWW-Authenticate'='Basic realm="abcdef"' [0x7fffc4007658]

Header always should only add/modify/etc.. the err_headers_out list, not the headers_out one, so mod_headers seems to work as intended. The main issue that I am seeing is related to the WWW-Authenticate header, that should not be in headers_out..
Comment 2 Luca Toscano 2018-10-22 07:38:15 UTC
Also very interesting that with trunk I get the correct result:

# curl localhost/session/test -i
HTTP/1.1 401 Unauthorized
Date: Mon, 22 Oct 2018 07:35:07 GMT
Server: Apache/2.5.1-dev (Unix) OpenSSL/1.1.0f
HelloHello: Blupp
WWW-Authenticate: SR_Basic realm="abcdef"
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1

and gdb tells me that mod_headers get WWW-Authenticate in err_headers_out, as expected..
Comment 3 Luca Toscano 2018-10-22 08:25:36 UTC
I re-tested 2.4.x with http://svn.apache.org/r1832092 and it seems to work fine, can you test Roland if you still have patience/time?