hi all... the MSIE + query string and mod_auth_digest came up again yesterday in bugzilla:
http://issues.apache.org/bugzilla/show_bug.cgi?id=27758 the issue was discussed here a while ago, most notably in http://marc.theaimsgroup.com/?t=105510868000001&r=1&w=2 with most people thinking it was a decent enough idea but with little in terms of a resoltion. anyway, I (along with a few others in the two threads) are kind of in favor of giving admins _some_ way to support MSIE + Digest. I like Paul's original patch but kind of felt that playing with the comparison algorithm was, well, messier than messing with the individual components. messy in either case but at least this way if the comparison ever needs to change there are less parentheses to worry about ;) so new patch against HEAD is attached. comments, new or changed opinions, implementation preferences, etc welcome. if the consensus is that the idea is decent I'll keep reworking patches until everyone is satisfied with the details. --Geoff
Index: modules/aaa/mod_auth_digest.c =================================================================== RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_auth_digest.c,v retrieving revision 1.86 diff -u -r1.86 mod_auth_digest.c --- modules/aaa/mod_auth_digest.c 21 Feb 2004 00:53:18 -0000 1.86 +++ modules/aaa/mod_auth_digest.c 19 Mar 2004 18:20:48 -0000 @@ -1671,8 +1671,34 @@ if (d_uri.path) { ap_unescape_url(d_uri.path); } + if (d_uri.query) { ap_unescape_url(d_uri.query); + } + else if (r_uri.query) { + /* MSIE compatibility hack. MSIE has some RFC issues - doesn't + * include the query string in the uri Authorization component + * or when computing the response component. the second part + * works out ok, since we can hash the header and get the same + * result. however, the uri from the request line won't match + * the uri Authorization component since the header lacks the + * query string, leaving us incompatable with a (broken) MSIE. + * + * the workaround is to fake a query string match if in the proper + * environment - BrowserMatch MSIE, for example. the cool thing + * is that if MSIE ever fixes itself the simple match ought to + * work and this code won't be reached anyway, even if the + * environment is set. + */ + + if (apr_table_get(r->subprocess_env, + "AuthDigestEnableQueryStringHack")) { + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Digest: " + "applying AuthDigestEnableQueryStringHack"); + + d_uri.query = r_uri.query; + } } if (r->method_number == M_CONNECT) {