On Mon, Sep 24, 2001 at 05:12:42PM -0400, Rodent of Unusual Size wrote:
> Someone has brought up the point that an AuthUserFile database
> containing a line with only ':' on it will allow access if the
> supplied username and password are blank and 'Require valid-user'
> is the access control.
>
> RFC 2617 permits such null credential elements; the questions
> that have been raised for us are:
>
> 1. Should *we* allow it?
> 2. If we allow it, should it match 'valid-user', or only
> "Require user ""'? (Not sure if the latter will work
> currently.)
>
> My personal HO is 1) yes, we should allow it, and 2) yes,
> it should be matched by 'valid-user' -- because, by virtue
> of its being in the AuthUserFile database, it IS a valid
> user by definition.
+1. (yes, and "" should match valid-user.) -- justin
