RE: proxies rewriting URLs

On Mon, 11 Mar 1996, Paul Leach wrote:
> Interesting.  What happens if I  do this:
> 	GET /secret.txt HTTP/1.1
> 	Authorization:  uri="/public.txt",
> 	 username="fred", realm="",
> 	 nonce="deadbeef", response="0123456789abcdef0123456789abcdef"
> If the server checks the authorization header and its URI, but then 
> uses the URI from the Request-URI in the request line, the whole 
> exercise will have been wasted.
> And if proxies are allowed to munge the URI in unknown ways, the server 
> can't compare the request-URI with the uri in the Authorization header.
> The Digest draft should say the the server MUST use the URI from the 
> Authorization header, as that is the only one that has been authenticated.

The latest draft I sent you addresses this as follows:

"The authenticating server must
   assure that the document designated by the "uri" field is the
   the same as the document served.  The purpose of duplicating
   information from the request URL in this field is to deal with
   the possibility that an intermediate proxy may alter the client's
   request.  This altered (but presumably semantically equivalent)
   request would not result in the same digest as that calculated
   by the client."

John Franks 	Dept of Math. Northwestern University

Received on Friday, 15 March 1996 18:06:48 UTC