mod_auth_digest and MSIE

Fri, 19 Mar 2004 10:30:14 -0800 

hi all...

  the MSIE + query string and mod_auth_digest came up again yesterday in
bugzilla:

    http://issues.apache.org/bugzilla/show_bug.cgi?id=27758

the issue was discussed here a while ago, most notably in

  http://marc.theaimsgroup.com/?t=105510868000001&r=1&w=2

with most people thinking it was a decent enough idea but with little in
terms of a resoltion.

anyway, I (along with a few others in the two threads) are kind of in favor
of giving admins _some_ way to support MSIE + Digest.  I like Paul's
original patch but kind of felt that playing with the comparison algorithm
was, well, messier than messing with the individual components.  messy in
either case but at least this way if the comparison ever needs to change
there are less parentheses to worry about ;)

so new patch against HEAD is attached.  comments, new or changed opinions,
implementation preferences, etc welcome.  if the consensus is that the idea
is decent I'll keep reworking patches until everyone is satisfied with the
details.

--Geoff

Index: modules/aaa/mod_auth_digest.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_auth_digest.c,v
retrieving revision 1.86
diff -u -r1.86 mod_auth_digest.c
--- modules/aaa/mod_auth_digest.c       21 Feb 2004 00:53:18 -0000      1.86
+++ modules/aaa/mod_auth_digest.c       19 Mar 2004 18:20:48 -0000
@@ -1671,8 +1671,34 @@
         if (d_uri.path) {
             ap_unescape_url(d_uri.path);
         }
+
         if (d_uri.query) {
             ap_unescape_url(d_uri.query);
+        }
+        else if (r_uri.query) {
+            /* MSIE compatibility hack.  MSIE has some RFC issues - doesn't 
+             * include the query string in the uri Authorization component
+             * or when computing the response component.  the second part
+             * works out ok, since we can hash the header and get the same
+             * result.  however, the uri from the request line won't match
+             * the uri Authorization component since the header lacks the 
+             * query string, leaving us incompatable with a (broken) MSIE.
+             * 
+             * the workaround is to fake a query string match if in the proper
+             * environment - BrowserMatch MSIE, for example.  the cool thing
+             * is that if MSIE ever fixes itself the simple match ought to 
+             * work and this code won't be reached anyway, even if the
+             * environment is set.
+             */
+
+            if (apr_table_get(r->subprocess_env, 
+                              "AuthDigestEnableQueryStringHack")) {
+            
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Digest: "
+                              "applying AuthDigestEnableQueryStringHack");
+
+               d_uri.query = r_uri.query;
+            } 
         }
 
         if (r->method_number == M_CONNECT) {

Reply via email to