[Mono-dev] [PATCH] security related fix for mcs/class/System/System.Net/WebHeaderCollection.cs
Antonello Provenzano
antonello at deveel.com
Tue Apr 17 07:01:23 EDT 2007
Junior,
> Without the attached change, mono was choosing whatever was sent last,
> which was the most insecure authentication option.
ok... but you didn't attach anything... :)
On 4/17/07, joel reed <joelwreed at gmail.com> wrote:
> Section 15.2 of RFC 2608 reads:
>
> An HTTP/1.1 server may return multiple challenges with a 401
> (Authenticate) response, and each challenge may use a different
> scheme. The order of the challenges returned to the user agent is in
> the order that the server would prefer they be chosen. The server
> should order its challenges with the "most secure" authentication
> scheme first. A user agent should choose as the challenge to be made
> to the user the first one that the user agent understands.
>
> Without the attached change, mono was choosing whatever was sent last,
> which was the most insecure authentication option.
>
> This is a one line fix. Please apply.
>
> By the way, I'm not convinced HttpWebRequest.cs will do the right thing
> when it gets multiple www-authenticate headers. Let's say the first
> header says use NTLM, but someone has called,
> "AuthenticationManager.Unregister("NTLM")" - I'm fairly certain that
> will fail. But this is a separate bug.
>
> jr
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list
>
More information about the Mono-devel-list
mailing list