Bug in HTParse.c scan() during basic authentication filter (5.1d)

I believe I have found a bug in the 5.1d code for handling basic 
authentication.

First, here is what I was trying to do:

I was running libapp_4 to connect to password protected web sites.  The 
first site I tried was:

http://mymachine.mydomain.com/website/protecteddir

This seemed to work fine.  I was prompted for a username/password.  The 
second site I tried was:

http://mymachine2.mydomain2.com/protectedwebsite

This went into an infinite recursion doing after filters and cleanup.

It seems the problem is that the template generated for the first URL is 
http://mymachine.mydomain.com/website* and for the second, it is 
http://mymachine2.mydomain2.com*  The scan() function in puts the * in the 
hostname.  Subsequent lookups of the authorization information for this 
host thus fail because the hash of mymachine2.mydomain2.com does not match 
the hash of mymachine2.mydomain2.com*.

I am guessing a possible fix is to modify scan() so that it accepts either 
/ or * as a terminating character for host names, but I have very little 
experience with this library and don't know what this might break.

Christopher A. Rath
car@research.att.com

Received on Monday, 5 January 1998 11:20:37 UTC