Proxy-Authorization forwarded, as of jigsaw 2.2.2 from Thomas Kriegelstein on 2003-02-20 (www-jigsaw@w3.org from January to February 2003)

From: Thomas Kriegelstein <tk4@mail.inf.tu-dresden.de>
Date: Thu, 20 Feb 2003 03:52:52 -0500 (EST)
To: www-jigsaw@w3.org
Message-Id: <200302200952.39115.tk4@mail.inf.tu-dresden.de>

Hi,

org/w3c/jigsaw/proxy/ForwardFrame.java (jigsaw 2.2.2) Line 246 sets the
Proxy-Authenticate header to null. This header is not supposed to be send by a 
client or upstream-proxy. This is not the bug but a copy & paste mistake from 
dupReply.

The bug is:
According to RFC 2616 section 13.5.1:
The Proxy-Authorization header is also a hop-by-hop header. So it should be 
set to null.
Recommended fix: Replace the H_PROXY_AUTHENTICATE in line 246 with
H_PROXY_AUTHORIZATION.

Another possibility:
Set all hop-by-hop headers in dupReply and dupRequest to null.
Without distinction between reply and request messages.

Without this fix a downstream webserver learns how to authenticate with the 
proxy!

Ciaou,
  Thomas

Received on Sunday, 23 February 2003 06:10:35 UTC