>Number: 5090
>Category: mod_auth-any
>Synopsis: Incorrect headers returned when trying to access protected
>directory
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Fri Oct 1 07:50:00 PDT 1999
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.3.9
>Environment:
uname -R -a: IRIX indra 6.5 6.5.3f 01221642 IP22
SGI's MIPSpro C compiler, version 7.2.1
Problem occurs no matter what compiler options I use. My configure script looks
like this:
env LDFLAGS="-n32 -mips3 -Wl,-s,-x" OPTIM="-n32 -O3 -mips3
-TARG:processor=r4000:platform=ip22_4k" configure --prefix=/disk1/httpd/apache
--enable-suexec --suexec-caller=httpd --suexec-uidmin=100 --suexec-gidmin=19
--suexec-safepath="/usr/local/bin:/usr/bsd:/usr/freeware/bin:/usr/bin/:/usr/sbin:/sbin:/usr/lib/print"
--enable-module=unique_id --enable-module=mime_magic --enable-module=rewrite
--enable-module=speling --enable-module=auth_dbm --enable-module=auth_anon
--enable-module=auth_digest --enable-module=cern_meta --enable-module=headers
--enable-module=expires --enable-module=info --enable-module=so
--enable-rule=PARANOID --enable-shared=max --verbose
>Description:
I've got the following type of environment set up in our http.conf file:
<Directory /full_path_to_protected_directory>
AuthName "protected area"
AuthType Basic
AuthUserFile /full_path_to_password_file
AuthGroupFile /full_path_to_group_file
require group authorized
Satisfy all
AllowOverride None
Options ExecCGI FollowSymLinks Indexes Includes MultiViews
Order deny,allow
Deny from all
Allow from .vigyan.com
<Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Deny from all
</Limit>
</Directory>
When I used my standard Web browser (NCSA's X Mosaic 2.7b5) authorization
would always fail. I telneted into the Web site to check headers and this is
what I saw:
% telnet machine_name 80
Trying 123.456.789.123...
Connected to machine_name.
Escape character is '^]'.
GET /protected_directory/ HTTP/1.0
HTTP/1.0 401
Server: Apache/1.3.9 (Unix)
Content-type: text/html
WWW-Authenticate:
I tried all sorts of things to track the problem down. Finally I
discovered
if I change the AuthName line so that the space was an `_' AND I deleted the
quotes
around everything, it works. Here is the working headers:
% telnet machine_name 80
Trying 123.456.789.123...
Connected to machine_name.
Escape character is '^]'.
GET /protected_directory/ HTTP/1.0
HTTP/1.1 401 Authorization Required
Date: Fri, 01 Oct 1999 14:03:21 GMT
Server: Apache/1.3.9 (Unix)
WWW-Authenticate: Basic realm="protected_area"
Connection: close
Content-Type: text/html
If you notice, I now get more information on the first line, a Date line,
and
the correct information in the `WWW-Authenticate:' line. Before submitting this
report, I checked the bug archive and found some similar, but not exactly the
same
type of bug reports. Those did, however, lead me to my work around.
>How-To-Repeat:
>Fix:
Don't know how you want to fix it. The AuthName doesn't accept blanks in
the name
unless the whole thing is quoted. However, this causes messed up headers.
Either the
the source needs to be changed to allow AuthName's with blanks or change the
documentation
to say that blanks in names isn't valid.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <[EMAIL PROTECTED]> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
