[Mono-dev] [PATCH] security related fix for mcs/class/System/System.Net/WebHeaderCollection.cs
Miguel de Icaza
miguel at novell.com
Tue Apr 17 11:31:26 EDT 2007
> I apologize for forgetting the patch itself!
The patch looks ok.
> joel reed wrote:
> > Section 15.2 of RFC 2608 reads:
> > An HTTP/1.1 server may return multiple challenges with a 401
> > (Authenticate) response, and each challenge may use a different
> > scheme. The order of the challenges returned to the user agent is in
> > the order that the server would prefer they be chosen. The server
> > should order its challenges with the "most secure" authentication
> > scheme first. A user agent should choose as the challenge to be made
> > to the user the first one that the user agent understands.
> > Without the attached change, mono was choosing whatever was sent last,
> > which was the most insecure authentication option.
> > This is a one line fix. Please apply.
> > By the way, I'm not convinced HttpWebRequest.cs will do the right thing
> > when it gets multiple www-authenticate headers. Let's say the first
> > header says use NTLM, but someone has called,
> > "AuthenticationManager.Unregister("NTLM")" - I'm fairly certain that
> > will fail. But this is a separate bug.
> > jr
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
More information about the Mono-devel-list