[PATCH] mod_auth_digest.c -- EnableQueryStringHack

Sun, 08 Jun 2003 14:43:17 -0700 

MSIE breaks Digest authentication whenever there is a GET Query string.  This
is noted in the httpd manual, but provides no work around.  By my reading of
the RFCs we do use the correct implmentation, and most other browsers follow
it.  But because MSIE does not follow it, it prevents the widespread use of
Digest authentication over Basic authentication.

This Patch is setup to use a BrowserMatch directive to allow MSIE clients to
use Digest Authentication.

All I have added to my httpd.conf is:

BrowserMatch MSIE AuthDigestEnableQueryStringHack=on

Example URLs:
http://www.force-elite.com:4080/cgi-bin/printenv

*Digest Authentication w/o extra query string. (always worked in most browsers.)

http://www.force-elite.com:4080/cgi-bin/printenv?&arg1=blah&arg2=afdjkh 

*Digest Authentication w/ extra query string. (broken in MSIE w/o patch)

u/p: test/test
The usernames and passwords that can be used are controled by the
mod_authn_dbi demo page... so anyone can change them: 
http://www.in.force-elite.com:4080/

This patch is against the HEAD of mod_auth_digest.  I can make a patch against
the version in the 2.0 branch if no one else does.

Patch: 
http://open.cyanworlds.com/~chip/mod_auth_digest.c-QueryStringHack.patch

--- mod_auth_digest.c   13 Feb 2003 02:28:57 -0000      1.79
+++ mod_auth_digest.c   8 Jun 2003 21:40:10 -0000
@@ -1634,6 +1634,7 @@
     request_rec       *mainreq;
     const char        *t;
     int                res;
+    int                query_string_hack;
 
     /* do we require Digest auth for this URI? */
 
@@ -1715,6 +1716,12 @@
         if (d_uri.query) {
             ap_unescape_url(d_uri.query);
         }
+        if(apr_table_get(r->subprocess_env, "AuthDigestEnableQueryStringHack")){
+           query_string_hack = 0;
+        } 
+        else {
+           query_string_hack = 1;
+        } 
 
         if (r->method_number == M_CONNECT) {
             if (strcmp(resp->uri, r_uri.hostinfo)) {
@@ -1742,9 +1749,9 @@
                 && !(d_uri.path && !r_uri.path && resp->psd_request_uri->hostname
                     && d_uri.path[0] == '*' && d_uri.path[1] == '\0'))
             /* check that query matches */
-            || (d_uri.query != r_uri.query
+            || ( query_string_hack && (d_uri.query != r_uri.query
                 && (!d_uri.query || !r_uri.query
-                    || strcmp(d_uri.query, r_uri.query)))
+                    || strcmp(d_uri.query, r_uri.query))))
             ) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                           "Digest: uri mismatch - <%s> does not match "


-chip

Reply via email to