I'm suggesting changing the static string WHAT_THE_HECK_GOES_HERE?
in ap_auth_nonce() to ap_get_server_name()...
comments?
Jim Jagielski wrote:
I'm suggesting changing the static string WHAT_THE_HECK_GOES_HERE?
in ap_auth_nonce() to ap_get_server_name()...
comments?
see my prior comment on that section of code ;)
Dirk's later patch got rid of extra %s in the format string, so zap the last
%s as well as my lame
Jeff Trawick wrote:
see my prior comment on that section of code ;)
Dirk's later patch got rid of extra %s in the format string, so zap the last
%s as well as my lame WHAT_THE_HECK_GOES_HERE?.
There was som discussion on making ServerName a semi-realm-based
aspect of the nonce...
On Apr 16, 2004, at 9:39 AM, Jim Jagielski wrote:
Jeff Trawick wrote:
Anybody want to think about what happens if we're so unlucky that the
ap_user_name or ap_pid_fname string with '\0' is smaller than
sizeof(unsigned
long) and just happens to be allocated at the end of a page?
Unlikely, but
On Apr 14, 2004, at 12:12 AM, Ben Laurie wrote:
Surely this advice is not good - this value (according to my reading)
is the only secret that prevents forgery of nonces. OTOH, its late,
and I may not be thinking clearly about this - in fact, I'm suspecting
that forgery of nonces is not an
As an aside, I am unable to successfully apply either patch to
the current apache-1.3 tree (not fuzz related, just bad patches,
eg:
patching file src/modules/standard/mod_digest.c
Hunk #2 FAILED at 329.
1 out of 2 hunks FAILED -- saving rejects to file
Joshua Slive wrote:
I do have one question about this: Is anyone actually using mod_digest?
I was under the impression that there doesn't exist any client that can
interoperate with this module (as opposed to mod_auth_digest, which
supports modern clients). If this is true, why don't we
On Apr 13, 2004, at 11:13 AM, Jim Jagielski wrote:
There is a known bug/issue in the current implementation
of mod_digest regarding the nonce. I am looking to
have this plugged for our next 1.3 release.
There are 2 suggested patches, which I will post under
separate Emails. I will also adjust
(removing [EMAIL PROTECTED]; no need to discuss there)
Jim Jagielski wrote:
Suggested patch:
Index: src/main/http_core.c
===
RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
retrieving revision 1.332
diff -u -u -r1.332
On Apr 14, 2004, at 1:57 PM, Ben Laurie wrote:
Correct - it is a nonce-seed.
AuthDigestNonce -- AuthDigestSeed or AuthDigestNonceSeed ?
It should be identical across an XS realm - but different from realm
to realm. If one realm is used on multiple
servers (e.g. non sticky loadbalancing)
I'd like to propose that I simply commit the revised
patch to CVS for us to poke around with/test/review, etc...
My guess is that we'll ship with something similar
and this will provide, at least, a nice framework.
++1 - if we can correct that directive's name on the way in.
Bill
At 04:09 PM 4/14/2004, you wrote:
I'd like to propose that I simply commit the revised
patch to CVS for us to poke around with/test/review, etc...
My guess is that we'll ship with something similar
and this will provide, at
There is a known bug/issue in the current implementation
of mod_digest regarding the nonce. I am looking to
have this plugged for our next 1.3 release.
There are 2 suggested patches, which I will post under
separate Emails. I will also adjust STATUS to reflect
these 2 potential patches.
PLEASE
On Apr 13, 2004, at 11:13 AM, Jim Jagielski wrote:
There is a known bug/issue in the current implementation
of mod_digest regarding the nonce. I am looking to
have this plugged for our next 1.3 release.
There are 2 suggested patches, which I will post under
separate Emails. I will also adjust
On Apr 13, 2004, at 11:13 AM, Jim Jagielski wrote:
There is a known bug/issue in the current implementation
of mod_digest regarding the nonce. I am looking to
have this plugged for our next 1.3 release.
There are 2 suggested patches, which I will post under
separate Emails. I will also adjust
Jim Jagielski wrote:
On Apr 13, 2004, at 11:13 AM, Jim Jagielski wrote:
There is a known bug/issue in the current implementation
of mod_digest regarding the nonce. I am looking to
have this plugged for our next 1.3 release.
There are 2 suggested patches, which I will post under
separate Emails. I
Jeff Trawick wrote:
Candidate patch #1:
This was my patch to an earlier patch to address some build issues and point
out a run-time problem with a sprintf call
I guess I need to go through patch 2 and verify that everything was addressed,
and/or point out the missing pieces (after I
Jim Jagielski wrote:
On Apr 13, 2004, at 11:13 AM, Jim Jagielski wrote:
static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char
*name)
{
@@ -3395,6 +3446,9 @@
An HTTP authorization type (e.g., \Basic\) },
{ AuthName, set_authname, NULL, OR_AUTHCFG, TAKE1,
The
I do have one question about this: Is anyone actually using mod_digest?
I was under the impression that there doesn't exist any client that can
interoperate with this module (as opposed to mod_auth_digest, which
supports modern clients). If this is true, why don't we just delete the
darn thing?
Joshua Slive wrote:
I do have one question about this: Is anyone actually using mod_digest?
I was under the impression that there doesn't exist any client that can
interoperate with this module (as opposed to mod_auth_digest, which
supports modern clients). If this is true, why don't we
20 matches
Mail list logo