[Mono-dev] [PATCH] security related fix for mcs/class/System/System.Net/WebHeaderCollection.cs

Miguel de Icaza miguel at novell.com
Tue Apr 17 11:31:26 EDT 2007


Hey,

> I apologize for forgetting the patch itself!

The patch looks ok.

> Attached,
> 
> jr
> 
> joel reed wrote:
> > Section 15.2 of RFC 2608 reads:
> > 
> >   An HTTP/1.1 server may return multiple challenges with a 401
> >   (Authenticate) response, and each challenge may use a different
> >   scheme.  The order of the challenges returned to the user agent is in
> >   the order that the server would prefer they be chosen. The server
> >   should order its challenges with the "most secure" authentication
> >   scheme first. A user agent should choose as the challenge to be made
> >   to the user the first one that the user agent understands.
> > 
> > Without the attached change, mono was choosing whatever was sent last,
> > which was the most insecure authentication option.
> > 
> > This is a one line fix. Please apply.
> > 
> > By the way, I'm not convinced HttpWebRequest.cs will do the right thing
> > when it gets multiple www-authenticate headers. Let's say the first 
> > header says use NTLM, but someone has called, 
> > "AuthenticationManager.Unregister("NTLM")" - I'm fairly certain that 
> > will fail. But this is a separate bug.
> > 
> > jr
> > 
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list



More information about the Mono-devel-list mailing list