Skip Menu |
 

This queue is for tickets about the Apache2-AuthenNTLM-Cookie CPAN distribution.

Report information
The Basics
Id: 36847
Status: resolved
Priority: 0/
Queue: Apache2-AuthenNTLM-Cookie

People
Owner: DAMI [...] cpan.org
Requestors: DAMI [...] cpan.org
SubbaiahAnnamalai [...] Eaton.com
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 0.01
Fixed in: (no value)



Subject: content of POST requests is corrupted.
Download (untitled) / with headers
text/plain 404b
for urls authentified with Apache2::AuthenNTLM::Cookie, the content of POST requests is corrupted . Hypothesis : probably the input stream is left in an incorrect state after the cookie handling code. Maybe this has to do with Apache2::Cookie (which relies on libaprequest) being used in an early Apache phase. No idea how to fix this, except perhaps write code by hand to deal with cookie headers.
Subject: Apache2-AuthenNTLM-Cookie Bug
Date: Wed, 17 Dec 2008 16:34:21 -0500
To: <bug-Apache2-AuthenNTLM-Cookie [...] rt.cpan.org>
From: <SubbaiahAnnamalai [...] Eaton.com>
Download (untitled) / with headers
text/plain 299b
Hi , I just completed installation of Apache2-AuthenNTLM-Cookie. But it is working only for GET requests. It doesnt work for POST requests. Do you have any patch for this? My environment details: Apache/2.2.8 (Unix) DAV/2 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.8.9 Thanks Subbaiah
Subject: Re: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug
Date: Thu, 18 Dec 2008 12:23:41 +0100 (CET)
To: bug-Apache2-AuthenNTLM-Cookie [...] rt.cpan.org
From: laurent.dami [...] free.fr
Download (untitled) / with headers
text/plain 1.7k
Hi, This is a known critical bug (see https://rt.cpan.org/Ticket/Display.html?id=36847). So far I had no time to investigate, but now that there is a second user for that module, I'll try to look again at that stuff :-)) The problem is quite tricky, though. My hypothesis was a bad interaction with libaprequest, but I got answers from the mod_perl list saying that this is unlikely to be the culprit. If I make any progress I'll keep you informed. Best regards, Laurent Dami Show quoted text
----- Mail Original ----- De: "SubbaiahAnnamalai@Eaton.com via RT" <bug-Apache2-AuthenNTLM-Cookie@rt.cpan.org> À: undisclosed-recipients:; Envoyé: Mercredi 17 Décembre 2008 22:34:43 (GMT+0100) Auto-Detected Objet: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug Wed Dec 17 16:34:42 2008: Request 41795 was acted upon. Transaction: Ticket created by SubbaiahAnnamalai@Eaton.com Queue: Apache2-AuthenNTLM-Cookie Subject: Apache2-AuthenNTLM-Cookie Bug Broken in: (no value) Severity: (no value) Owner: Nobody Requestors: SubbaiahAnnamalai@Eaton.com Status: new Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=41795 > Hi , I just completed installation of Apache2-AuthenNTLM-Cookie. But it is working only for GET requests. It doesnt work for POST requests. Do you have any patch for this? My environment details: Apache/2.2.8 (Unix) DAV/2 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.8.9 Thanks Subbaiah Hi , I just completed installation of Apache2-AuthenNTLM-Cookie. But it is working only for GET requests. It doesnt work for POST requests. Do you have any patch for this? My environment details: Apache/2.2.8 (Unix) DAV/2 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.8.9 Thanks Subbaiah
Subject: RE: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug
Date: Thu, 18 Dec 2008 10:06:08 -0500
To: <bug-Apache2-AuthenNTLM-Cookie [...] rt.cpan.org>
From: <SubbaiahAnnamalai [...] Eaton.com>
Download (untitled) / with headers
text/plain 848b
Thanks for your reply. Please keep me posted. Thanks Subbaiah Show quoted text
-----Original Message----- From: laurent.dami@free.fr via RT [mailto:bug-Apache2-AuthenNTLM-Cookie@rt.cpan.org] Sent: Thursday, December 18, 2008 6:24 AM To: Annamalai, Subbaiah Subject: Re: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug <URL: http://rt.cpan.org/Ticket/Display.html?id=41795 > Hi, This is a known critical bug (see https://rt.cpan.org/Ticket/Display.html?id=36847). So far I had no time to investigate, but now that there is a second user for that module, I'll try to look again at that stuff :-)) The problem is quite tricky, though. My hypothesis was a bad interaction with libaprequest, but I got answers from the mod_perl list saying that this is unlikely to be the culprit. If I make any progress I'll keep you informed. Best regards, Laurent Dami
Subject: Re: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug
Date: Mon, 5 Jan 2009 14:01:20 -0500
To: <bug-Apache2-AuthenNTLM-Cookie [...] rt.cpan.org>
From: <SubbaiahAnnamalai [...] Eaton.com>
Download (untitled) / with headers
text/plain 1.1k
Hi Laurent Dami, Have you had a chance to look at the issue with POST method? Please let me know. Thanks Subbaiah Show quoted text
-----Original Message----- From: Annamalai, Subbaiah Sent: Thursday, December 18, 2008 10:06 AM To: 'bug-Apache2-AuthenNTLM-Cookie@rt.cpan.org' Subject: RE: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug Thanks for your reply. Please keep me posted. Thanks Subbaiah
-----Original Message----- From: laurent.dami@free.fr via RT [mailto:bug-Apache2-AuthenNTLM-Cookie@rt.cpan.org] Sent: Thursday, December 18, 2008 6:24 AM To: Annamalai, Subbaiah Subject: Re: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug <URL: http://rt.cpan.org/Ticket/Display.html?id=41795 > Hi, This is a known critical bug (see https://rt.cpan.org/Ticket/Display.html?id=36847). So far I had no time to investigate, but now that there is a second user for that module, I'll try to look again at that stuff :-)) The problem is quite tricky, though. My hypothesis was a bad interaction with libaprequest, but I got answers from the mod_perl list saying that this is unlikely to be the culprit. If I make any progress I'll keep you informed. Best regards, Laurent Dami
From: evuigner [...] gmail.com
Download (untitled) / with headers
text/plain 1.2k
Here is my fix that appear to works with PHP, to add in the top of the page: # Empty POST NTLM IE if ($_SERVER['REQUEST_METHOD'] == "POST") { $header = apache_request_headers(); $aAuth = isset($header['Authorization']) ? $header['Authorization'] : null; if (($aAuth != null) && (substr($aAuth,0,5) == 'NTLM ')) { $msg = base64_decode(substr($aAuth,5)); if ($msg[8] == "\x01") { $msg2 = "NTLMSSP\x00\x02\x00\x00\x00". "\x00\x00\x00\x00". "\x00\x00\x00\x00". "\x01\x02\x81\x00". "\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00"; header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2))); exit; } } } Regards, Emmanuel Le Jeu 19 Juin 2008 15:55:17, DAMI a écrit : Show quoted text
> for urls authentified with Apache2::AuthenNTLM::Cookie, the content of > POST requests is corrupted . > > Hypothesis : probably the input stream is left in an incorrect state > after the cookie handling code. Maybe this has to do with > Apache2::Cookie (which relies on libaprequest) being used in an early > Apache phase. No idea how to fix this, except perhaps write code by > hand to deal with cookie headers.
Download (untitled) / with headers
text/plain 397b
Le Mer 03 Mar 2010 12:50:20, maiis a écrit : Show quoted text
> Here is my fix that appear to works with PHP, to add in the top of
the page: Hi Emmanuel, thanks for the tip Meanwhile I just found the reference http://lists.samba.org/archive/jcifs/2006-September/006554.html that explains the origin of the problem. So now that I have a better understanding of what is happening, I'll try to fix the problem.
From: evuigner [...] gmail.com
Download (untitled) / with headers
text/plain 648b
I've had found the solution with the reg key DisableNTLMPreAuth, but it was impossible to use this regarding my clients :) WOuld be nice if you fix it directly in the module. Le Mer 03 Mar 2010 23:18:10, DAMI a écrit : Show quoted text
> Le Mer 03 Mar 2010 12:50:20, maiis a écrit :
> > Here is my fix that appear to works with PHP, to add in the top of
> the page: > > Hi Emmanuel, thanks for the tip > > Meanwhile I just found the reference > http://lists.samba.org/archive/jcifs/2006-September/006554.html > that explains the origin of the problem. > > So now that I have a better understanding of what is happening, I'll > try to fix the problem.
Download (untitled) / with headers
text/plain 966b
Le Jeu 04 Mar 2010 02:23:30, maiis a écrit : Show quoted text
> I've had found the solution with the reg key DisableNTLMPreAuth, but it > was impossible to use this regarding my clients :) > > WOuld be nice if you fix it directly in the module. > > > Le Mer 03 Mar 2010 23:18:10, DAMI a écrit :
> > Le Mer 03 Mar 2010 12:50:20, maiis a écrit :
> > > Here is my fix that appear to works with PHP, to add in the top of
> > the page: > > > > Hi Emmanuel, thanks for the tip > > > > Meanwhile I just found the reference > > http://lists.samba.org/archive/jcifs/2006-September/006554.html > > that explains the origin of the problem. > > > > So now that I have a better understanding of what is happening, I'll > > try to fix the problem.
>
Version 1.0, just committed to CPAN, fixes the problem. If an POST request with empty body and with NTLM type1 msg is received, then we respond with a fake NTLM type2 msg, so that MSIE will send again a type3 msg, with the body.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.