* Need help with Rack::Auth::Digest.. (maybe bug)
@ 2010-05-19 11:16 maxmotor
0 siblings, 0 replies; only message in thread
From: maxmotor @ 2010-05-19 11:16 UTC (permalink / raw)
To: Rack Development
Hi All,
First of all, I'm sorry for my English.
Maybe I made mistake but looks like I found bug in Rack::Auth::Digest
implementation (rack-1.1.0)
If passwords_hashed is not set to true then you can't provide
verification in 'normal way', because @authenticator.call return
password value and does not matter is it password or nil, false, etc.
For example as 'normal way' I mean something like this:
example1:
Rack::Auth::Digest::MD5.new(app, 'Admin') do |login|
'admin_pass' if login == 'admin'
end
In this case value = @authenticator.call(auth.username) return 'nil'
that means you can use empty password (value.to_s = '') with any
login except 'admin'.
example2:
Rack::Auth::Digest::MD5.new(app, 'Admin') do |login|
login == 'admin' ? 'admin_pass' : false
end
In this case you can use password = 'false' (value.to_s = 'false')
with any login except 'admin'.
To avoid this you should use hacks. For example:
example1. raise an exception
Rack::Auth::Digest::MD5.new(app, 'Admin') do |login|
login == 'admin' ? 'admin_pass' : raise 'Invalid password'
end
example2: return random password:
Rack::Auth::Digest::MD5.new(app, 'Admin') do |login|
login == 'admin' ? 'admin_pass' : rand
end
etc...
But I think it should be fixed inside 'valid_digest?'. For example
def valid_digest?(auth)
!!(pass = @authenticator.call(auth.username)) && (digest(auth,
pass) == auth.response)
end
P.S. As variant to avoid this problem you can set passwords_hashed to
true but in this case you should have properly generated hash for
password ( password_hash = HA1=MD5(A1) =
MD5(username:realm:password)).
Please help/correct me if I am wrong.
Thank you in advance!
--
Regards, Max
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2010-05-19 11:40 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-05-19 11:16 Need help with Rack::Auth::Digest.. (maybe bug) maxmotor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).