[Mono-dev] [PATCH] security related fix for mcs/class/System/System.Net/WebHeaderCollection.cs
joel reed
joelwreed at gmail.com
Tue Apr 17 07:21:03 EDT 2007
I apologize for forgetting the patch itself!
Attached,
jr
joel reed wrote:
> Section 15.2 of RFC 2608 reads:
>
> An HTTP/1.1 server may return multiple challenges with a 401
> (Authenticate) response, and each challenge may use a different
> scheme. The order of the challenges returned to the user agent is in
> the order that the server would prefer they be chosen. The server
> should order its challenges with the "most secure" authentication
> scheme first. A user agent should choose as the challenge to be made
> to the user the first one that the user agent understands.
>
> Without the attached change, mono was choosing whatever was sent last,
> which was the most insecure authentication option.
>
> This is a one line fix. Please apply.
>
> By the way, I'm not convinced HttpWebRequest.cs will do the right thing
> when it gets multiple www-authenticate headers. Let's say the first
> header says use NTLM, but someone has called,
> "AuthenticationManager.Unregister("NTLM")" - I'm fairly certain that
> will fail. But this is a separate bug.
>
> jr
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rfc2608-fix.patch
Type: text/x-patch
Size: 1680 bytes
Desc: not available
Url : http://lists.ximian.com/pipermail/mono-devel-list/attachments/20070417/2edcb9c4/attachment.bin
More information about the Mono-devel-list
mailing list