* [EMAIL PROTECTED] wrote:
> Do not use local paths for the domain parameter on non-unix systems.
>
> PR: 16937
The guessing code is somewhat weird anyway.
RFC 2617, 3.2.1 writes (about 'domain'):
| If this directive is omitted or its value is empty, the client should
| assume that the protection space consists of all URIs on the responding
| server.
And the ABNF says:
domain = "domain" "=" <"> URI *( 1*SP URI ) <">
URI = absoluteURI | abs_path
so,
a) domain _cannot_ be empty. We should omit it entirely if it has no value.
right? (I think, it's probably intended, that it can be empty, but who
knows the clients?)
b) We have to ensure, that (at least the guessed) domain is either an
absoluteURI or an abs_path. This is currently not the case.
IMHO, we should (1) guess more strictly and throw a 500 with a hint in
the error_log to use AuthDigestDomain or (2) require AuthDigestDomain
always.
I'd prefer the latter for 2.1.
Opinions?
nd
--
Da f�llt mir ein, wieso gibt es eigentlich in Unicode kein
"i" mit einem Herzchen als T�pfelchen? Das w�r sooo s��ss!
-- Bj�rn H�hrmann in darw
