[Mono-dev] [PATCH] security related fix for mcs/class/System/System.Net/WebHeaderCollection.cs
joelwreed at gmail.com
Tue Apr 17 06:54:52 EDT 2007
Section 15.2 of RFC 2608 reads:
An HTTP/1.1 server may return multiple challenges with a 401
(Authenticate) response, and each challenge may use a different
scheme. The order of the challenges returned to the user agent is in
the order that the server would prefer they be chosen. The server
should order its challenges with the "most secure" authentication
scheme first. A user agent should choose as the challenge to be made
to the user the first one that the user agent understands.
Without the attached change, mono was choosing whatever was sent last,
which was the most insecure authentication option.
This is a one line fix. Please apply.
By the way, I'm not convinced HttpWebRequest.cs will do the right thing
when it gets multiple www-authenticate headers. Let's say the first
header says use NTLM, but someone has called,
"AuthenticationManager.Unregister("NTLM")" - I'm fairly certain that
will fail. But this is a separate bug.
More information about the Mono-devel-list