[Mono-dev] [PATCH] security related fix for mcs/class/System/System.Net/WebHeaderCollection.cs

joel reed joelwreed at gmail.com
Tue Apr 17 07:21:03 EDT 2007

I apologize for forgetting the patch itself!



joel reed wrote:
> Section 15.2 of RFC 2608 reads:
>   An HTTP/1.1 server may return multiple challenges with a 401
>   (Authenticate) response, and each challenge may use a different
>   scheme.  The order of the challenges returned to the user agent is in
>   the order that the server would prefer they be chosen. The server
>   should order its challenges with the "most secure" authentication
>   scheme first. A user agent should choose as the challenge to be made
>   to the user the first one that the user agent understands.
> Without the attached change, mono was choosing whatever was sent last,
> which was the most insecure authentication option.
> This is a one line fix. Please apply.
> By the way, I'm not convinced HttpWebRequest.cs will do the right thing
> when it gets multiple www-authenticate headers. Let's say the first 
> header says use NTLM, but someone has called, 
> "AuthenticationManager.Unregister("NTLM")" - I'm fairly certain that 
> will fail. But this is a separate bug.
> jr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rfc2608-fix.patch
Type: text/x-patch
Size: 1680 bytes
Desc: not available
Url : http://lists.ximian.com/pipermail/mono-devel-list/attachments/20070417/2edcb9c4/attachment.bin 

More information about the Mono-devel-list mailing list