Uploaded image for project: 'serf'
  1. serf
  2. SERF-130

HTTP headers should be treated case-insenstively

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • None

    Description

      What steps will reproduce the problem?
      1. Attempt to use svn_ra_serf with a server secured by CA SiteMinder

      What is the expected output? What do you see instead?
      I expected this to work, as it has with previous subversion releases (which used neon, rather than serf).
      Instead, I get an error svn: E120191: Error running context: The requested authentication type(s) are not supported

      What version of the product are you using? On what operating system?
      TortoiseSVN 1.8.2 (serf 1.3.1), on Windows 7 x64

      I apologize for the lousy reproduction scenario above; I'm not sure how best to describe a setup that involves a server behaving oddly.

      The problem occurs because SiteMinder sends the 401 response with a header
      > WWW-authenticate: basic realm="FOCUS Repository"
      whereas Apache AuthType basic sends a slightly different header
      > WWW-Authenticate: Basic realm="FOCUS Repository"
      Note the lowercase 'a' in the in the field name from SiteMinder.

      According to HTTP/1.1 Section 4.2 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2) "Field names are case-insensitive", so I don't think SiteMinder is actually wrong here.

      serf_bucket_headers_get seems to handle this correctly, since I do not get SERF_ERROR_AUTHN_FAILED. However, auth/auth.c:store_header_in_dict re-tests the name when it iterates do get all copies, and it does not ignore case as it should. The offending line
      > /* We're only interested in xxxx-Authenticate headers. */
      > if (strcmp(key, ab->header) != 0)

      I think this just needs to be strcasecmp, as it is in buckets/headers_buckets.c: serf_bucket_headers_get.

      It's a nuisance to set up the build environment to recompile serf/subversion/TortoiseSVN, so I have not done so. However, I have verified that case-sensitivity is the root of my authentication problem, by opening libsvn_tsvn.dll in a hex editor and simply patching the string constant to be "WWW-authenticate" instead. This restored the ability to communicate with my server (though it then of course broke the ability to communicate with other ones using the normal capitalization).

      Original issue reported by puetzk

      Attachments

        Activity

          People

            Unassigned Unassigned
            serf-importer Serf Importer
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: