Issue Details (XML | Word | Printable)

Key: MODPYTHON-47
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Minor Minor
Assignee: Graham Dumpleton
Reporter: Graham Dumpleton
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
mod_python

Digest Authorization header causes bad request error.

Created: 21/Apr/05 01:48 PM   Updated: 02/Apr/07 11:19 AM
Return to search
Component/s: publisher
Affects Version/s: 3.1.4
Fix Version/s: 3.3.1

Time Tracking:
Not Specified

File Attachments:
  File Name Date Attached Attached By Size
File Licensed for inclusion in ASF works MP47_20060307_grahamd_1.diff 2006-03-07 07:19 PM Graham Dumpleton 0.8 kB
File Licensed for inclusion in ASF works MP47_20060309_grahamd_2.diff 2006-03-09 08:40 AM Graham Dumpleton 2 kB

Resolution Date: 10/Mar/06 06:20 PM


 Description  « Hide
If Apache is used to perform authentication, the Authorization header still gets
passed through to mod_python.publisher. Unfortunately, mod_python.publisher
authentication code in process_auth() will attempt to decode the contents of the
Authorization header even if there are no __auth__ or __access__ hooks defined
for authentication and access control within the published code itself.

The consequence of this is that if Digest authentication is used for AuthType
at level of Apache authentication, the process_auth() code will raise a bad request
error as it assumes Authorization header is always in format for Basic authentication
type and when it can't decode it, it raises an error.

What should happen is that any decoding of Authorization should only be done
if there is a __auth__ or __access__ hook that actually requires it. That way, if some
one uses Digest authentication at Apache configuration file level, provided that no
__auth__ or __access__ hooks are provided, there wouldn't be a problem.

See:

  http://www.modpython.org/pipermail/mod_python/2005-April/017911.html
  http://www.modpython.org/pipermail/mod_python/2005-April/017912.html

for additional information.

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Repository Revision Date User Message
ASF #384754 Fri Mar 10 10:20:06 UTC 2006 grahamd Fixed mod_python.publisher so it will not return a HTTP Bad Request
response when mod_auth is being used to provide Digest authentication.
(MODPYTHON-47)
Files Changed
MODIFY /httpd/mod_python/trunk/test/htdocs/tests.py
MODIFY /httpd/mod_python/trunk/lib/python/mod_python/publisher.py
MODIFY /httpd/mod_python/trunk/test/test.py
MODIFY /httpd/mod_python/trunk/Doc/appendixc.tex


Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators