tags 226954 + woody severity 226954 minor stop quit thanks Please do not abuse of severity. The bug is fixed and could be closed.
Fabio On Fri, 9 Jan 2004, Marc SCHAEFER wrote: > Package: apache > Version: 1.3.26-0woody3 > Severity: important > Tags: patch > > Hi, > > if using mod_proxy in Apache and the remote HTTP server returns > a HTTP/1.1 401 (authentification required), but there is nothing > after the 401 after the space, Apache adds a space and thus > makes the additional header lines displayed in your WWW client. > > Bad case: > HTTP/1.1 401 > Content-Type: text/html;charset=ISO-8859-1 > Connection: close > Content-Language: en-US > Date: Fri, 09 Jan 2004 15:19:57 GMT > Server: Apache Tomcat/4.1 (HTTP/1.1 Connector) > WWW-Authenticate: Basic realm="Authentication for bla platform." > > Good case: > replace the first line with > HTTP/1.1 401 blaaa > > (you can easily reproduce this by typing by hand through a > nc -l -p 4000) > > This was found by using tomcat4.1 with Apache and mod_proxy and > an authentification module. > > References: (although this is Apache 2, it applies). > http://bugzilla.redhat.com/bugzilla/long_list.cgi?buglist=89179 > > Patch: > Apparently the fix is already in testing/unstable, this is > for documentation for people who wants to maintain stable > packages. > > diff -urP apache_1.3.26/src/modules/proxy/proxy_util.c > apache_1.3.26/apache_1.3.26/src/modules/proxy/proxy_util.c > --- build-tree/apache_1.3.26/src/modules/proxy/proxy_util.c Tue Jun 18 > 02:59:59 2002 > +++ build-tree/apache_1.3.26/src/modules/proxy/proxy_util.c Mon Feb 3 > 18:13:26 2003 > @@ -1,7 +1,7 @@ > /* ==================================================================== > * The Apache Software License, Version 1.1 > * > - * Copyright (c) 2000-2002 The Apache Software Foundation. All rights > + * Copyright (c) 2000-2003 The Apache Software Foundation. All rights > * reserved. > * > * Redistribution and use in source and binary forms, with or without > @@ -1607,6 +1607,12 @@ > } > *backasswards = 0; > > + /* there need not be a reason phrase in the response, > + * and ap_getline() already deleted trailing whitespace. > + * But RFC2616 requires a SP after the Status-Code. Add one: > + */ > + if (strlen(buffer) < sizeof("HTTP/1.x 200 ")-1) > + buffer = ap_pstrcat(r->pool, buffer, " ", NULL); > buffer[12] = '\0'; > r->status = atoi(&buffer[9]); > buffer[12] = ' '; > > > -- System Information > Debian Release: 3.0 > Architecture: i386 > Kernel: Linux defian 2.4.21 #1 Fri Nov 7 18:54:07 MET 2003 i686 > Locale: LANG=C, LC_CTYPE=fr_CH > > Versions of packages apache depends on: > ii apache-common 1.3.26-0woody3 Support files for all Apache > webse > ii dpkg 1.9.21 Package maintenance system for > Deb > ii libc6 2.2.5-11.5 GNU C Library: Shared libraries > an > ii libdb2 2:2.7.7.0-7 The Berkeley database routines > (ru > ii libexpat1 1.95.2-6 XML parsing C library - runtime > li > ii logrotate 3.5.9-8 Log rotation utility > ii mime-support 3.18-1.3 MIME files 'mime.types' & > 'mailcap > ii perl 5.6.1-8.3 Larry Wall's Practical Extraction > ii perl [perl5] 5.6.1-8.3 Larry Wall's Practical Extraction > > > > -- Our mission: make IPv6 the default IP protocol "We are on a mission from God" - Elwood Blues http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp00004.html