[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#226954: apache: mod_proxy; auth/basic; tomcat4: apache inserts blank line in header

tags 226954 + woody
severity 226954 minor
stop
quit
thanks

Please do not abuse of severity. The bug is fixed and could be closed.

Fabio

On Fri, 9 Jan 2004, Marc SCHAEFER wrote:

> Package: apache
> Version: 1.3.26-0woody3
> Severity: important
> Tags: patch
>
> Hi,
>
> if using mod_proxy in Apache and the remote HTTP server returns
> a HTTP/1.1 401 (authentification required), but there is nothing
> after the 401 after the space, Apache adds a space and thus
> makes the additional header lines displayed in your WWW client.
>
> Bad case:
>    HTTP/1.1 401
>    Content-Type: text/html;charset=ISO-8859-1
>    Connection: close
>    Content-Language: en-US
>    Date: Fri, 09 Jan 2004 15:19:57 GMT
>    Server: Apache Tomcat/4.1 (HTTP/1.1 Connector)
>    WWW-Authenticate: Basic realm="Authentication for bla platform."
>
> Good case:
>    replace the first line with
>       HTTP/1.1 401 blaaa
>
> (you can easily reproduce this by typing by hand through a
> nc -l -p 4000)
>
> This was found by using tomcat4.1 with Apache and mod_proxy and
> an authentification module.
>
> References: (although this is Apache 2, it applies).
>    http://bugzilla.redhat.com/bugzilla/long_list.cgi?buglist=89179
>
> Patch:
>    Apparently the fix is already in testing/unstable, this is
>    for documentation for people who wants to maintain stable
>    packages.
>
> diff -urP apache_1.3.26/src/modules/proxy/proxy_util.c apache_1.3.26/apache_1.3.26/src/modules/proxy/proxy_util.c
> --- build-tree/apache_1.3.26/src/modules/proxy/proxy_util.c	Tue Jun 18 02:59:59 2002
> +++ build-tree/apache_1.3.26/src/modules/proxy/proxy_util.c	Mon Feb  3 18:13:26 2003
> @@ -1,7 +1,7 @@
>  /* ====================================================================
>   * The Apache Software License, Version 1.1
>   *
> - * Copyright (c) 2000-2002 The Apache Software Foundation.  All rights
> + * Copyright (c) 2000-2003 The Apache Software Foundation.  All rights
>   * reserved.
>   *
>   * Redistribution and use in source and binary forms, with or without
> @@ -1607,6 +1607,12 @@
>          }
>          *backasswards = 0;
>
> +        /* there need not be a reason phrase in the response,
> +	 * and ap_getline() already deleted trailing whitespace.
> +	 * But RFC2616 requires a SP after the Status-Code. Add one:
> +	 */
> +	if (strlen(buffer) < sizeof("HTTP/1.x 200 ")-1)
> +	  buffer = ap_pstrcat(r->pool, buffer, " ", NULL);
>          buffer[12] = '\0';
>          r->status = atoi(&buffer[9]);
>          buffer[12] = ' ';
>
>
> -- System Information
> Debian Release: 3.0
> Architecture: i386
> Kernel: Linux defian 2.4.21 #1 Fri Nov 7 18:54:07 MET 2003 i686
> Locale: LANG=C, LC_CTYPE=fr_CH
>
> Versions of packages apache depends on:
> ii  apache-common             1.3.26-0woody3 Support files for all Apache webse
> ii  dpkg                      1.9.21         Package maintenance system for Deb
> ii  libc6                     2.2.5-11.5     GNU C Library: Shared libraries an
> ii  libdb2                    2:2.7.7.0-7    The Berkeley database routines (ru
> ii  libexpat1                 1.95.2-6       XML parsing C library - runtime li
> ii  logrotate                 3.5.9-8        Log rotation utility
> ii  mime-support              3.18-1.3       MIME files 'mime.types' & 'mailcap
> ii  perl                      5.6.1-8.3      Larry Wall's Practical Extraction
> ii  perl [perl5]              5.6.1-8.3      Larry Wall's Practical Extraction
>
>
>
>

-- 
Our mission: make IPv6 the default IP protocol
"We are on a mission from God" - Elwood Blues

http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp00004.html
Reply to: