>Number: 4164 >Category: mod_auth-any >Synopsis: ErrorDocument (401) directive in .htaccess file oddities >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Mar 29 14:00:00 PST 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.6 >Environment: uname -a SunOS empyrean 5.7 Generic i86pc i386 i86pc
Using gcc -O3 >Description: First, the URL for an ErrorDocument 401 directive in a .htaccess file does not seem to be checked to see if it is a full URL - the URL *is* followed on auth. failure, even if it is a full URL, which I know is a no-no. ;-) Secondly, the bug reported in PR 1809 seems to be fixed (it hasn't been closed). When I define a CGI script the username/password box pops up first. However, I think there should be some documentation stating (again, for people that don't get it) that they should *not* use this CGI script to send a Redirect header, as users will not get the prompt box if they do. >How-To-Repeat: >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
