Search squid archive

[squid-users] Bugs in IE digest proxy auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi folks,

I've observed three bugs in IE6's digest proxy authentication implemention.
Is anyone able to confirm that it's Not Just Me, and whether any good
workarounds are already out there?

1. Double-quote-marks in URLs. IE sends a digest-uri-value that's improperly
escaped, as in (when visiting http://localhost/test.html"foo):

Digest username="User Name", realm="Login", qop="auth", algorithm="MD5", uri="/test.html"foo", nonce="q3...
vs Firefox which sends:
Digest username="User Name", realm="Login", nonce="42yWQuDPGw/gebJ8", uri="/test.html%22foo", response="666...

I've worked around this by means of a hack in authenticateDigestDecodeAuth.

2. Never reuses a nonce - always sends a request, gets a 407 challenge
with a new nonce value, then reissues the request with the correct
Proxy-Authorization header; this doubles the number of actual HTTP
requests; is there a workaround?

3. IE gets confused when a website uses a 401 authentication challenge.
In this case, it prompts for and sends the Authorization: header,
but then repeatedly re-prompts the user for their proxy credentials.
I've worked around this by inventing the following access list:

acl msie-win-browser browser MSIE.*Windows
acl basic-auth auth_regex Basic
auth_param digest access deny msie-win-browser basic-auth
auth_param digest access allow all

Yes, I had to invent "auth_regex" and "auth_param digest access".
This ACL effectively downgrades the user to using basic proxy auth
if using basic www auth.

I'd especially like a solution for bug 3, because the workaround is
ugly, insecure and expensive.  I have a case open with Microsoft Partner
Support right now.

Oddly enough, IE5 on the Mac doesn't have any of these symptoms.

Any takers?


-- 
Joshua Goodall                           "as modern as tomorrow afternoon"
joshua@xxxxxxxxxxxxxx                                       - FW109

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux