sworda / serf

Automatically exported from code.google.com/p/serf
Apache License 2.0
0 stars 0 forks source link

HTTP headers should be treated case-insenstively #130

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Attempt to use svn_ra_serf with a server secured by CA SiteMinder

What is the expected output? What do you see instead?
I expected this to work, as it has with previous subversion releases (which 
used neon, rather than serf). 
Instead, I get an error svn: E120191: Error running context: The requested 
authentication type(s) are not supported

What version of the product are you using? On what operating system?
TortoiseSVN 1.8.2 (serf 1.3.1), on Windows 7 x64

--

I apologize for the lousy reproduction scenario above; I'm not sure how best to 
describe a setup that involves a server behaving oddly.

The problem occurs because SiteMinder sends the 401 response with a header 
> WWW-authenticate: basic realm="FOCUS Repository"
whereas Apache AuthType basic sends a slightly different header
> WWW-Authenticate: Basic realm="FOCUS Repository"
Note the lowercase 'a' in the in the field name from SiteMinder.

According to HTTP/1.1 Section 4.2 
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2) "Field names are 
case-insensitive", so I don't think SiteMinder is actually wrong here.

serf_bucket_headers_get seems to handle this correctly, since I do not get 
SERF_ERROR_AUTHN_FAILED. However, auth/auth.c:store_header_in_dict re-tests the 
name when it iterates do get all copies, and it does not ignore case as it 
should. The offending line
>     /* We're only interested in xxxx-Authenticate headers. */
>    if (strcmp(key, ab->header) != 0)

I think this just needs to be strcasecmp, as it is in 
buckets/headers_buckets.c: serf_bucket_headers_get.

It's a nuisance to set up the build environment to recompile 
serf/subversion/TortoiseSVN, so I have not done so. However, I have verified 
that case-sensitivity is the root of my authentication problem, by opening 
libsvn_tsvn.dll in a hex editor and simply patching the string constant to be 
"WWW-authenticate" instead. This restored the ability to communicate with my 
server (though it then of course broke the ability to communicate with other 
ones using the normal capitalization).

Original issue reported on code.google.com by pue...@gmail.com on 16 Sep 2013 at 8:59

GoogleCodeExporter commented 9 years ago
Yup, that seems to be an issue. Attached patch to make the test suite test for 
authn header case insensitivity.

Original comment by lieven.govaerts@gmail.com on 16 Sep 2013 at 9:18

Attachments:

GoogleCodeExporter commented 9 years ago
Test cases and fix were committed in r2171, I'll back port it to 1.3.2 
(unplanned for now).

Thanks for your detailed analysis!
Lieven

Original comment by lieven.govaerts@gmail.com on 17 Sep 2013 at 11:23

GoogleCodeExporter commented 9 years ago
I believe we have the same problem here. Will this be in the 1.3.2 release?

Original comment by Guido.Wi...@gmail.com on 27 Sep 2013 at 3:17

GoogleCodeExporter commented 9 years ago
Hi Guido,
all changes for 1.3.2 including r2171 have been merged to the 1.3.x branch. 
Release will follow at the end of this week.
Lieven

Original comment by lieven.govaerts@gmail.com on 29 Sep 2013 at 6:43

GoogleCodeExporter commented 9 years ago
The problem is fixed for me in 1.3.2. Thanks to everyone involved!

Original comment by Guido.Wi...@gmail.com on 14 Oct 2013 at 9:47