On 27 Mar 2002, Raphael Amaury Jacquot wrote: > On Mon, 2002-03-25 at 23:23, Marc Slemko wrote: > > On Mon, 25 Mar 2002, Eli Marmor wrote: > > > > > And a yet another note: > > > > > > It is not a bug that "sometime" causes problems; > > > It is a bug that causes mod_auth_digest to fail ALWAYS (when there are > > > parameters, of course). > > > > That is defined as "sometimes". And it is only IE with which it fails, > > no? > > No, mozilla (all platforms) does this too
Odd, since it works for me... What version of Mozilla is this? 0.9.7 and 0.9.9 both work with query strings. (eg. http://server/foo?bar=taz) Try http://www.apache.org/~marc/digest/?C=M&O=A login user / password Works for me in Mozilla. Fails in IE because IE doesn't send the query string as part of the digest uri. On Tue, 26 Mar 2002, Eli Marmor wrote: > Marc Slemko wrote: > > > Isn't this a matter of IE incorrectly implementing the spec? > > I'm not sure that this is the "famous" incompatibility between IE and > Apache. But I'm not sure it isn't, too. In any case, something in the > current code looks strange, and doesn't make sense. Are you sure that > the "ifdefed" code implements the RFC? What looks odd about the current code? It does some odd questionable comparison shortcuts, but they still appear to work from my quick glance. It is checking to make sure the query string part of the URI matches. > > > Will making this change break browsers that do properly implement it? > > > > It is not obvious if or how we should attempt to cope with IE's > > brokenness, so it is not something that can just be blindly > > applied. Blindly ignoring the query string on a request can have > > security implications as well that need to be understood. > > I don't see any security problem with it. Doesn't it allow replay attacks using different query strings?
