DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16520>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16520 cache MUST NOT cache responses to Authorization requests Summary: cache MUST NOT cache responses to Authorization requests Product: Apache httpd-2.0 Version: HEAD Platform: All URL: http://coad.measurement-factory.com/cgi- bin/coad/GraseInfoCgi?session=bug&info_id=test_clause/rf c2616/authorizn-cachedNot OS/Version: All Status: NEW Severity: Major Priority: Other Component: mod_cache AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] Looks like a possible RFC 2616 MUST violation. Mod_cache caches responses to requests containing unusual Authorization header. The bug seems to be in the HTTP header parser (or internal header representation) because it is triggered by adding white space after the header name (which is legal per RFC 2616 "implied *LWS" rule). Higher-than-default severity was chosen because this bug may affect user privacy and might lead to unauthorized access to protected resources if some UAs send compliant (but not common) Authorization headers. It is also likely that the same [parsing/representation] bug may affect handling of other headers (Connection?), but there are no test cases to prove that speculation at this time. See attached trace(s) for details and ways to reproduce the violation mentioned above. Test case IDs in the trace link to human-oriented test case description and RFC quotes, if available. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
