work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack

is set in r->subprocess_env allow mismatched query strings to pass. PR: 27758 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103096 13f79535-47bb-0310-9956-ffa450edef68
2026-01-06 09:01:14 +03:00 · 2004-03-23 13:57:48 +00:00
parent 7896be49dd
commit 7665ccd497
2 changed files with 31 additions and 0 deletions
--- a/4
+++ b/4
@@ -2,6 +2,10 @@ Changes with Apache 2.1.0-dev

  [Remove entries to the current 2.0 section below, when backported]

+  *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
+     is set in r->subprocess_env allow mismatched query strings to pass.
+     PR 27758.  [Paul Querna <chip force-elite.com>, Geoffrey Young]
+
  *) logresolve: Allow size of log line buffer to be overridden at
     build time (MAXLINE).  PR 27793.  [Jeff Trawick]

--- a/modules/aaa/mod_auth_digest.c
+++ b/modules/aaa/mod_auth_digest.c
@@ -1671,9 +1671,36 @@ static int authenticate_digest_user(request_rec *r)
        if (d_uri.path) {
            ap_unescape_url(d_uri.path);
        }
+
        if (d_uri.query) {
            ap_unescape_url(d_uri.query);
        }
+        else if (r_uri.query) {
+            /* MSIE compatibility hack.  MSIE has some RFC issues - doesn't 
+             * include the query string in the uri Authorization component
+             * or when computing the response component.  the second part
+             * works out ok, since we can hash the header and get the same
+             * result.  however, the uri from the request line won't match
+             * the uri Authorization component since the header lacks the 
+             * query string, leaving us incompatable with a (broken) MSIE.
+             * 
+             * the workaround is to fake a query string match if in the proper
+             * environment - BrowserMatch MSIE, for example.  the cool thing
+             * is that if MSIE ever fixes itself the simple match ought to 
+             * work and this code won't be reached anyway, even if the
+             * environment is set.
+             */
+
+            if (apr_table_get(r->subprocess_env, 
+                              "AuthDigestEnableQueryStringHack")) {
+            
+                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "Digest: "
+                              "applying AuthDigestEnableQueryStringHack "
+                              "to uri <%s>", resp->raw_request_uri);
+
+               d_uri.query = r_uri.query;
+            } 
+        }

        if (r->method_number == M_CONNECT) {
            if (strcmp(resp->uri, r_uri.hostinfo)) {