Bug #36847 for Apache2-AuthenNTLM-Cookie: content of POST requests is corrupted.

Thu Jun 19 15:55:17 2008 DAMI [...] cpan.org - Ticket created

Subject:

content of POST requests is corrupted.

for urls authentified with Apache2::AuthenNTLM::Cookie, the content of POST requests is corrupted . Hypothesis : probably the input stream is left in an incorrect state after the cookie handling code. Maybe this has to do with Apache2::Cookie (which relies on libaprequest) being used in an early Apache phase. No idea how to fix this, except perhaps write code by hand to deal with cookie headers.

Wed Dec 17 16:34:42 2008 SubbaiahAnnamalai [...] Eaton.com - Ticket #41795: Ticket created

Subject:	Apache2-AuthenNTLM-Cookie Bug
Date:	Wed, 17 Dec 2008 16:34:21 -0500
To:	<bug-Apache2-AuthenNTLM-Cookie [...] rt.cpan.org>
From:	<SubbaiahAnnamalai [...] Eaton.com>

Hi , I just completed installation of Apache2-AuthenNTLM-Cookie. But it is working only for GET requests. It doesnt work for POST requests. Do you have any patch for this? My environment details: Apache/2.2.8 (Unix) DAV/2 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.8.9 Thanks Subbaiah

Thu Dec 18 06:23:54 2008 laurent.dami [...] free.fr - Ticket #41795: Correspondence added

Subject:	Re: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug
Date:	Thu, 18 Dec 2008 12:23:41 +0100 (CET)
To:	bug-Apache2-AuthenNTLM-Cookie [...] rt.cpan.org
From:	laurent.dami [...] free.fr

Hi, This is a known critical bug (see https://rt.cpan.org/Ticket/Display.html?id=36847). So far I had no time to investigate, but now that there is a second user for that module, I'll try to look again at that stuff :-)) The problem is quite tricky, though. My hypothesis was a bad interaction with libaprequest, but I got answers from the mod_perl list saying that this is unlikely to be the culprit. If I make any progress I'll keep you informed. Best regards, Laurent Dami Show quoted text

----- Mail Original ----- De: "SubbaiahAnnamalai@Eaton.com via RT" <bug-Apache2-AuthenNTLM-Cookie@rt.cpan.org> À: undisclosed-recipients:; Envoyé: Mercredi 17 Décembre 2008 22:34:43 (GMT+0100) Auto-Detected Objet: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug Wed Dec 17 16:34:42 2008: Request 41795 was acted upon. Transaction: Ticket created by SubbaiahAnnamalai@Eaton.com Queue: Apache2-AuthenNTLM-Cookie Subject: Apache2-AuthenNTLM-Cookie Bug Broken in: (no value) Severity: (no value) Owner: Nobody Requestors: SubbaiahAnnamalai@Eaton.com Status: new Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=41795 > Hi , I just completed installation of Apache2-AuthenNTLM-Cookie. But it is working only for GET requests. It doesnt work for POST requests. Do you have any patch for this? My environment details: Apache/2.2.8 (Unix) DAV/2 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.8.9 Thanks Subbaiah Hi , I just completed installation of Apache2-AuthenNTLM-Cookie. But it is working only for GET requests. It doesnt work for POST requests. Do you have any patch for this? My environment details: Apache/2.2.8 (Unix) DAV/2 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.8.9 Thanks Subbaiah

Thu Dec 18 06:23:54 2008 The RT System itself - Ticket #41795: Status changed from 'new' to 'open'

Thu Dec 18 06:27:25 2008 DAMI [...] cpan.org - Ticket #41795: Merged into ticket #36847

Thu Dec 18 06:27:25 2008 DAMI [...] cpan.org - Merged into ticket #36847

Thu Dec 18 10:07:15 2008 SubbaiahAnnamalai [...] Eaton.com - Correspondence added

Subject:	RE: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug
Date:	Thu, 18 Dec 2008 10:06:08 -0500
To:	<bug-Apache2-AuthenNTLM-Cookie [...] rt.cpan.org>
From:	<SubbaiahAnnamalai [...] Eaton.com>

Thanks for your reply. Please keep me posted. Thanks Subbaiah Show quoted text

-----Original Message----- From: laurent.dami@free.fr via RT [mailto:bug-Apache2-AuthenNTLM-Cookie@rt.cpan.org] Sent: Thursday, December 18, 2008 6:24 AM To: Annamalai, Subbaiah Subject: Re: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug <URL: http://rt.cpan.org/Ticket/Display.html?id=41795 > Hi, This is a known critical bug (see https://rt.cpan.org/Ticket/Display.html?id=36847). So far I had no time to investigate, but now that there is a second user for that module, I'll try to look again at that stuff :-)) The problem is quite tricky, though. My hypothesis was a bad interaction with libaprequest, but I got answers from the mod_perl list saying that this is unlikely to be the culprit. If I make any progress I'll keep you informed. Best regards, Laurent Dami

Mon Jan 05 14:02:00 2009 SubbaiahAnnamalai [...] Eaton.com - Correspondence added

Subject:	Re: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug
Date:	Mon, 5 Jan 2009 14:01:20 -0500
To:	<bug-Apache2-AuthenNTLM-Cookie [...] rt.cpan.org>
From:	<SubbaiahAnnamalai [...] Eaton.com>

Hi Laurent Dami, Have you had a chance to look at the issue with POST method? Please let me know. Thanks Subbaiah Show quoted text

-----Original Message----- From: Annamalai, Subbaiah Sent: Thursday, December 18, 2008 10:06 AM To: 'bug-Apache2-AuthenNTLM-Cookie@rt.cpan.org' Subject: RE: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug Thanks for your reply. Please keep me posted. Thanks Subbaiah

-----Original Message----- From: laurent.dami@free.fr via RT [mailto:bug-Apache2-AuthenNTLM-Cookie@rt.cpan.org] Sent: Thursday, December 18, 2008 6:24 AM To: Annamalai, Subbaiah Subject: Re: [rt.cpan.org #41795] Apache2-AuthenNTLM-Cookie Bug <URL: http://rt.cpan.org/Ticket/Display.html?id=41795 > Hi, This is a known critical bug (see https://rt.cpan.org/Ticket/Display.html?id=36847). So far I had no time to investigate, but now that there is a second user for that module, I'll try to look again at that stuff :-)) The problem is quite tricky, though. My hypothesis was a bad interaction with libaprequest, but I got answers from the mod_perl list saying that this is unlikely to be the culprit. If I make any progress I'll keep you informed. Best regards, Laurent Dami

Wed Mar 03 12:50:20 2010 evuigner [...] gmail.com - Correspondence added

From:

evuigner [...] gmail.com

Here is my fix that appear to works with PHP, to add in the top of the page: # Empty POST NTLM IE if ($_SERVER['REQUEST_METHOD'] == "POST") { $header = apache_request_headers(); $aAuth = isset($header['Authorization']) ? $header['Authorization'] : null; if (($aAuth != null) && (substr($aAuth,0,5) == 'NTLM ')) { $msg = base64_decode(substr($aAuth,5)); if ($msg[8] == "\x01") { $msg2 = "NTLMSSP\x00\x02\x00\x00\x00". "\x00\x00\x00\x00". "\x00\x00\x00\x00". "\x01\x02\x81\x00". "\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00"; header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2))); exit; } } } Regards, Emmanuel Le Jeu 19 Juin 2008 15:55:17, DAMI a écrit : Show quoted text

> for urls authentified with Apache2::AuthenNTLM::Cookie, the content of > POST requests is corrupted . > > Hypothesis : probably the input stream is left in an incorrect state > after the cookie handling code. Maybe this has to do with > Apache2::Cookie (which relies on libaprequest) being used in an early > Apache phase. No idea how to fix this, except perhaps write code by > hand to deal with cookie headers.

Wed Mar 03 12:50:24 2010 The RT System itself - Status changed from 'new' to 'open'

Wed Mar 03 23:18:10 2010 DAMI [...] cpan.org - Correspondence added

Le Mer 03 Mar 2010 12:50:20, maiis a écrit : Show quoted text

> Here is my fix that appear to works with PHP, to add in the top of

the page: Hi Emmanuel, thanks for the tip Meanwhile I just found the reference http://lists.samba.org/archive/jcifs/2006-September/006554.html that explains the origin of the problem. So now that I have a better understanding of what is happening, I'll try to fix the problem.

Thu Mar 04 02:23:30 2010 evuigner [...] gmail.com - Correspondence added

From:

evuigner [...] gmail.com

I've had found the solution with the reg key DisableNTLMPreAuth, but it was impossible to use this regarding my clients :) WOuld be nice if you fix it directly in the module. Le Mer 03 Mar 2010 23:18:10, DAMI a écrit : Show quoted text

> Le Mer 03 Mar 2010 12:50:20, maiis a écrit :

> > Here is my fix that appear to works with PHP, to add in the top of

> the page: > > Hi Emmanuel, thanks for the tip > > Meanwhile I just found the reference > http://lists.samba.org/archive/jcifs/2006-September/006554.html > that explains the origin of the problem. > > So now that I have a better understanding of what is happening, I'll > try to fix the problem.

Tue Jun 22 17:20:52 2010 DAMI [...] cpan.org - Correspondence added

Le Jeu 04 Mar 2010 02:23:30, maiis a écrit : Show quoted text

> I've had found the solution with the reg key DisableNTLMPreAuth, but it > was impossible to use this regarding my clients :) > > WOuld be nice if you fix it directly in the module. > > > Le Mer 03 Mar 2010 23:18:10, DAMI a écrit :

> > Le Mer 03 Mar 2010 12:50:20, maiis a écrit :

> > > Here is my fix that appear to works with PHP, to add in the top of

> > the page: > > > > Hi Emmanuel, thanks for the tip > > > > Meanwhile I just found the reference > > http://lists.samba.org/archive/jcifs/2006-September/006554.html > > that explains the origin of the problem. > > > > So now that I have a better understanding of what is happening, I'll > > try to fix the problem.

>

Version 1.0, just committed to CPAN, fixes the problem. If an POST request with empty body and with NTLM type1 msg is received, then we respond with a fake NTLM type2 msg, so that MSIE will send again a type3 msg, with the body.

Tue Jun 22 17:20:54 2010 DAMI [...] cpan.org - Status changed from 'open' to 'resolved'