[Bug 66341] mod_proxy_ftp documentation says it supports user/pass. Error AH02422 says it does not

bugzilla Mon, 14 Nov 2022 10:02:17 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=66341


Christophe JAILLET <christophe.jail...@wanadoo.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #3 from Christophe JAILLET <christophe.jail...@wanadoo.fr> ---
Thanks for testing.

I think that the relevant part is in RFC 7230 ([1]) cited in the
HttpProtocolOptions documentation:

> Userinfo (i.e., username and password) are now disallowed in HTTP and
> HTTPS URIs, because of security issues related to their transmission
> on the wire.  (Section 2.7.1)

Anyway, IMHO, it should be stated explicitly in the doc, at least where
username:password@ is useable.



> Is basic authentication supplied in the URL now blocked by default for other
> protocols as well?

I guess so. [2] is part of the standard URI handling.
I'll give it a try with our test framework to confirm.



[1]: https://www.rfc-editor.org/rfc/rfc7230#appendix-A.2
[2]:
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/protocol.c?view=markup#l970

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org
For additional commands, e-mail: docs-h...@httpd.apache.org

[Bug 66341] mod_proxy_ftp documentation says it supports user/pass. Error AH02422 says it does not

Reply via email to