Uploaded image for project: 'mod_python'
  1. mod_python
  2. MODPYTHON-47

Digest Authorization header causes bad request error.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.4
    • Fix Version/s: 3.3.1
    • Component/s: publisher
    • Labels:
      None

      Description

      If Apache is used to perform authentication, the Authorization header still gets
      passed through to mod_python.publisher. Unfortunately, mod_python.publisher
      authentication code in process_auth() will attempt to decode the contents of the
      Authorization header even if there are no _auth_ or _access_ hooks defined
      for authentication and access control within the published code itself.

      The consequence of this is that if Digest authentication is used for AuthType
      at level of Apache authentication, the process_auth() code will raise a bad request
      error as it assumes Authorization header is always in format for Basic authentication
      type and when it can't decode it, it raises an error.

      What should happen is that any decoding of Authorization should only be done
      if there is a _auth_ or _access_ hook that actually requires it. That way, if some
      one uses Digest authentication at Apache configuration file level, provided that no
      _auth_ or _access_ hooks are provided, there wouldn't be a problem.

      See:

      http://www.modpython.org/pipermail/mod_python/2005-April/017911.html
      http://www.modpython.org/pipermail/mod_python/2005-April/017912.html

      for additional information.

        Attachments

        1. MP47_20060307_grahamd_1.diff
          0.8 kB
          Graham Dumpleton
        2. MP47_20060309_grahamd_2.diff
          2 kB
          Graham Dumpleton

          Activity

            People

            • Assignee:
              grahamd Graham Dumpleton
              Reporter:
              grahamd Graham Dumpleton
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: