>Number: 794
>Category: mod_dir
>Synopsis: Authentication performed multiple times when searching for
>directory index
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Thu Jun 26 14:40:00 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2
>Environment:
HP-UX 10.2, gcc
>Description:
Assuming a directory without an index file and DirectoryIndex with about
5 different filenames on it - the page is also protected w/ a password.
When attempting to retrieve: "...../thedir/", the server authenticates the
userid
and password once for every file that is listed in DirectoryIndex even if the
file
doesn't exist.
It seems like the authentication should be performed only if the server is
deciding
whether or not to send the file, not when it is trying to pick which one to
display.
This isn't a big deal using htpasswd authentication, but if the authentication
is
expensive (authenticating to Kerberos/AFS over the network), it gets to be a
little
too intensive.
>How-To-Repeat:
>Fix:
I haven't looked at that portion of the code, but a simple fix would be,
instead of
for each file
check pass, if OK
if file exists
send first match
to
for each file
if file exists
check if pass ok, if ok
send first match
That would eliminate some of the unnecessary checks. It wouldn't entirely solve
it,
but it would help some
>Audit-Trail:
>Unformatted:
