[Mono-dev] [PATCH] security related fix for mcs/class/System/System.Net/WebHeaderCollection.cs

joel reed joelwreed at gmail.com
Tue Apr 17 06:54:52 EDT 2007

Section 15.2 of RFC 2608 reads:

   An HTTP/1.1 server may return multiple challenges with a 401
   (Authenticate) response, and each challenge may use a different
   scheme.  The order of the challenges returned to the user agent is in
   the order that the server would prefer they be chosen. The server
   should order its challenges with the "most secure" authentication
   scheme first. A user agent should choose as the challenge to be made
   to the user the first one that the user agent understands.

Without the attached change, mono was choosing whatever was sent last,
which was the most insecure authentication option.

This is a one line fix. Please apply.

By the way, I'm not convinced HttpWebRequest.cs will do the right thing
when it gets multiple www-authenticate headers. Let's say the first 
header says use NTLM, but someone has called, 
"AuthenticationManager.Unregister("NTLM")" - I'm fairly certain that 
will fail. But this is a separate bug.


More information about the Mono-devel-list mailing list