Received: (qmail 73305 invoked by uid 501); 1 Jun 2001 08:00:18 -0000
Message-Id: <20010601080018.73303.qmail@apache.org>
Date: 1 Jun 2001 08:00:18 -0000
From: Segey Pozdnyakov <sereja@mail.ru>
Reply-To: sereja@mail.ru
To: submit@bugz.apache.org
Subject: Incorrect URI comparison algorithm in mod_auth_digest
X-Send-Pr-Version: 3.110

>Number:         7797
>Category:       mod_auth-any
>Synopsis:       Incorrect URI comparison algorithm in mod_auth_digest
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Jun 01 01:10:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     sereja@mail.ru
>Release:        1.3.20
>Organization:
apache
>Environment:
Windows NT Server 4.0 Service Pack 5
Using binary distributive Of Apache (no compiler used)
ActivePerl 5.6.0 (build 620) used for executing CGI scripts
>Description:
When I tried to use digest authentification (with module mod_auth_digest)
on simple CGI script test.pl (which works good without digest authentification;
 see code below), I get the following error message:

Digest: uri mismatch - </cgi-bin/test.pl> does not match request-uri </cgi-bin/test.pl?query=view>

I think that the problem is in incorrect URI comparison algorithm in
mod_auth_digest.c. Maybe I'm wrong, but in my opinion such requests should work
fine, where is no access violation (the script is always the same, only
parameters are changing).
>How-To-Repeat:
test.pl
-------

#!d:/perl/bin/perl.exe
use strict;
use CGI ':standard';

import_names('p');
$p::query ||= 'start';

print header, start_html;

eval "&$p::query()";

sub start{
    print "<a href=test.pl?query=view>Test</a>";
}

sub view{
    print "OK";
}
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]