>Number: 1666
>Category: general
>Synopsis: Apache uses a case sensitive match for "Basic" auth scheme
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Tue Jan 13 21:00:00 PST 1998
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.3b3 and all previous
>Environment:
All
>Description:
When using basic authentication Apache requires the scheme token in the
Authorization header to be exactly "Basic". If you send for example
Authorization: basic ...
the authorization will fail and message "client used wrong authentication
scheme" will be logged.
Note this problem is already fixed for digest in PR# 1599.
>How-To-Repeat:
The easiest is to try and access a protected document using telnet and give
an auth header as described above.
>Fix:
All comparisons are already case insensitive except for one. Here is the
patch for the last one:
*** http_protocol.c Mon Jan 12 15:41:21 1998
--- http_protocol.c.orig Sat Nov 1 23:24:08 1997
***************
*** 943,949 ****
return AUTH_REQUIRED;
}
! if (strcasecmp(getword(r->pool, &auth_line, ' '), "Basic")) {
/* Client tried to authenticate using wrong auth scheme */
aplog_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
"client used wrong authentication scheme: %s", r->uri);
--- 943,949 ----
return AUTH_REQUIRED;
}
! if (strcmp(getword(r->pool, &auth_line, ' '), "Basic")) {
/* Client tried to authenticate using wrong auth scheme */
aplog_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
"client used wrong authentication scheme: %s", r->uri);
%0
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <[EMAIL PROTECTED]> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
