Auth question

Joe Orton joe at manyfish.co.uk
Tue Mar 1 08:31:37 EST 2011


On Tue, Mar 01, 2011 at 02:19:52PM +0100, Patrick Ohly wrote:
> On Di, 2011-03-01 at 09:18 +0100, Henrik Holst wrote:
> > 2011/2/28 Joe Orton <joe at manyfish.co.uk>:
> > >> There is another use case. I am working on a CalDAV/CardDAV backend for
> > >> SyncEvolution, a PIM data synchronization tool. Right now I am trying to get
> > >> service discovery via DNS SRV and /.well-know/[carddav|caldav] working.
> > >
> > > http://tools.ietf.org/html/rfc4918#appendix-E
> > >
> > > has guidance on the "how to trigger authentication" problem.
> > 
> > One just has to love the text of that rfc: "This appendix
> >    describes a couple approaches that seem particularly likely to work."
> 
> Indeed. 

This topic was controversial within the DAV working group, so there is 
some history behind that particular choice of wording ;) It's a 
difficult problem.  See e.g. this thread:

http://lists.w3.org/Archives/Public/w3c-dist-auth/2005OctDec/0243.html

> My code passes temporary strings to ne_request_create(). ne_request.c
> itself copies the strings (as expected) but it also passes the caller's
> "method" string (and not the copy!) to ne_auth.c/ah_create(), which then
> leads to a read-after-free error in request_digest(). Patch attached.

Great catch, thanks a lot! I've committed this.

Regards, Joe



More information about the neon mailing list