First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 92660
Alias:
Product:
Component:
Status: RESOLVED
Resolution: NEEDINFO
Assigned To: Marcelo Goes <vanquirius@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: ewill3@earthlink.net
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 92660 depends on: Show dependency tree
Bug 92660 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-05-14 18:45 0000 
This looks like an upstream issue, if it's not a Links config problem.

I was testing Digest authentication with a servlet under JBoss that I've developed (though I suspect Apache could reproduce this as well, with some work; I'd have to try it).

It turns out that Links is recognizing the WWW-Authenticate: Digest header in the 401 response and prompts the user for username and password -- but then turns around and sends an Authorization: Basic <base64-encoded> response.

This is quite obviously wrong, though it's not a security concern as such, just a bug.

(This is links-2.1_pre17.)

Reproducible: Always
Steps to Reproduce:
1. Configure Apache, JBOSS, or other such to enable Digest authentication.  (I ran into this bug because I'm doing some custom code that works very well with Mozilla/Firefox -- and even with IE.)
2. 'emerge links' if necessary.
3. Turn on a sniffer.  I use tcpdump but there are presumably others.
4. Try to access the website using Links and using Mozilla or Firefox.
5. Look at the dumped packets.
Actual Results:  
Mozilla works fine; authentication proceeds and the response comes back.

Links gets a 400 Bad Request error.  The logs on the servlet side (in JBoss, at
least) clearly show the bad header coming back.

(For what it's worth, Lynx (another browser) is showing more or less correct
behavior, if only because it can't understand Digest authentication so it
basically gives up and shows the 401 response.)

Expected Results:  
A good question.  Ideally, Links would fully implement RFC2617, or at least
enough to do the right thing by Apache.  Either that, or it could spit out a
message locally stating that "sorry, we don't do Digest Authentication", to warn
the user.

See http://www.ietf.org/rfc/rfc2616.txt and http://www.ietf.org/rfc/rfc2617.txt
for the gory details.

Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130,
glibc-2.3.4.20041102-r1, 2.6.10-gentoo-r6 i686)
=================================================================
System uname: 2.6.10-gentoo-r6 i686 AMD Athlon(TM) XP 1600+
Gentoo Base System version 1.4.16
Python:              dev-lang/python-2.3.5 [2.3.5 (#1, Apr 29 2005, 20:55:04)]
distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
dev-lang/python:     2.3.5
sys-apps/sandbox:    [Not Present]
sys-devel/autoconf:  2.59-r6, 2.13
sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.5
sys-devel/binutils:  2.15.92.0.2-r7
sys-devel/libtool:   1.5.16
virtual/os-headers:  2.6.8.1-r1, 2.6.8.1-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -mcpu=athlon-xp -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.2/share/config
/usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown
/usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref
/usr/share/config /usr/share/texmf/dvipdfm/config/
/usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/
/usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -mcpu=athlon-xp -march=i686 -pipe"
DISTDIR="/data/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
LANG="en_US.iso88591"
MAKEOPTS="-j3"
PKGDIR="/usr/portage_packages.aurigae"
PORTAGE_TMPDIR="/data/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 3dnow X aalib acpi acpi4linux alsa apm arts avi berkdb bitmap-fonts cdr
crypt cups curl eds emboss encode esd f77 fam flac foomaticdb fortran gd gdbm
ggi gif gimpprint gnome gnomedb gpm gstreamer gtk gtk2 guile imagemagick imlib
ipv6 jack java jpeg junit kde libg++ libwww mad mikmod mmx motif mozilla mp3
mpeg nas ncurses nls nptl ogg oggvorbis opengl oss pam pdflib perl png postgres
ppds python qt quicktime readline sdl slang snmp spell ssl tcltk tcpd tetex tiff
truetype truetype-fonts type1-fonts unicode vorbis xine xml2 xmms xv zlib
video_cards_fglrx video_cards_radeon userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CBUILD, CTARGET, LC_ALL, LDFLAGS, LINGUAS

------- Comment #1 From Marcelo Goes 2005-05-15 11:28:00 0000 ------- 
Hi there,

Thanks for bringing the bug up.
Have you a) tested a hand-compiled version b) contacted upstream?

This does look like an upstream problem, where they would be more apt to solve it quickly.

------- Comment #2 From Marcelo Goes 2005-05-25 10:57:02 0000 ------- 
Please re-open if a handcompiled version yields a different result.
Otherwise I am taking this is an upstream issue and should be reported to them.

------- Comment #3 From Marcelo Goes 2005-06-07 14:18:26 0000 ------- 
A patch from upstream is in -r2 for testing.
First Last Prev Next    No search results available      Search page      Enter new bug