* "WWW-Authenticate" header generated by Auth::Digest::MD5 is wrong (RFC 2617 BNF) [includes patch]
@ 2009-12-18 19:44 Iñaki Baz Castillo
[not found] ` <5a9d52bd0912181358l2b70346aja65910d636ba185c@mail.gmail.com>
0 siblings, 1 reply; 2+ messages in thread
From: Iñaki Baz Castillo @ 2009-12-18 19:44 UTC (permalink / raw)
To: rack-devel
[-- Attachment #1: Type: Text/Plain, Size: 3326 bytes --]
Hi, Rack::Auth::Digest::MD5 generates "WWW-Authenticate" like this:
WWW-Authenticate: Digest realm="domain.org",
nonce="MTI2MTE2NDI0OCAxMzE5MmUwMjQ5NmRmMjliZTU5NTFjNTc1NTg5OThlNQ==",
opaque="acc85fcea72cd0e4032763ed0c565dbc", qop=auth
The 'qop' field is wrong as it must appear enclosed between doble quotation
("). This is because 'qop' parameter could contain more than one value
separated by space.
In the other hand, the "WWW-Authorization" header sent by the client also
contains a 'qop' parameter but it must not enclose the value between doble
quotation as it just allows a single value.
RFC 2617 (Digest) clearly says that 'qop' value(s) must be enclosed between ":
3.2.1 The WWW-Authenticate Response Header
challenge = "Digest" digest-challenge
digest-challenge = 1#( realm | [ domain ] | nonce |
[ opaque ] |[ stale ] | [ algorithm ] |
[ qop-options ] | [auth-param] )
domain = "domain" "=" <"> URI ( 1*SP URI ) <">
URI = absoluteURI | abs_path
nonce = "nonce" "=" nonce-value
nonce-value = quoted-string
opaque = "opaque" "=" quoted-string
stale = "stale" "=" ( "true" | "false" )
algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" |
token )
qop-options = "qop" "=" <"> 1#qop-value <">
qop-value = "auth" | "auth-int" | token
Note that 'qop-options' is:
qop-options = "qop" "=" <"> 1#qop-value <">
I attach a patch which fixes it (taken from Rack 1.0.1).
In the other hand, "WWW-Authorization" header sent by the client has a
different format for 'qop' parameter (with no quotation and single value):
3.2.2 The Authorization Request Header
credentials = "Digest" digest-response
digest-response = 1#( username | realm | nonce | digest-uri
| response | [ algorithm ] | [cnonce] |
[opaque] | [message-qop] |
[nonce-count] | [auth-param] )
username = "username" "=" username-value
username-value = quoted-string
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1
message-qop = "qop" "=" qop-value
cnonce = "cnonce" "=" cnonce-value
cnonce-value = nonce-value
nonce-count = "nc" "=" nc-value
nc-value = 8LHEX
response = "response" "=" request-digest
request-digest = <"> 32LHEX <">
LHEX = "0" | "1" | "2" | "3" |
"4" | "5" | "6" | "7" |
"8" | "9" | "a" | "b" |
"c" | "d" | "e" | "f"
Note that 'message-qop' is:
message-qop = "qop" "=" qop-value
and 'qop-value' is defined in section 3.2.1 as:
qop-value = "auth" | "auth-int" | token
so it must appear without quotation.
BTW is there a bug tracker for Rack project? or is this maillist the
appropriate place to report bugs?
Regards.
--
Iñaki Baz Castillo <ibc@aliax.net>
[-- Attachment #2: auth_digest_params.rb.diff --]
[-- Type: text/x-patch, Size: 354 bytes --]
--- lib/rack/auth/digest/params.rb.old 2009-12-18 20:42:09.000000000 +0100
+++ lib/rack/auth/digest/params.rb 2009-12-18 20:42:24.000000000 +0100
@@ -35,7 +35,7 @@
super k.to_s, v.to_s
end
- UNQUOTED = ['qop', 'nc', 'stale']
+ UNQUOTED = ['nc', 'stale']
def to_s
inject([]) do |parts, (k, v)|
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: "WWW-Authenticate" header generated by Auth::Digest::MD5 is wrong (RFC 2617 BNF) [includes patch]
[not found] ` <5a9d52bd0912181358l2b70346aja65910d636ba185c@mail.gmail.com>
@ 2009-12-18 22:00 ` Scytrin dai Kinthra
0 siblings, 0 replies; 2+ messages in thread
From: Scytrin dai Kinthra @ 2009-12-18 22:00 UTC (permalink / raw)
To: rack-devel
[-- Attachment #1: Type: text/plain, Size: 3477 bytes --]
The official bug and ticketing system is referred to in the rubydocs. It
used to be rack-devel but is now on lighthouse.
On Dec 18, 2009 11:45 AM, "Iñaki Baz Castillo" <ibc@aliax.net> wrote:
Hi, Rack::Auth::Digest::MD5 generates "WWW-Authenticate" like this:
WWW-Authenticate: Digest realm="domain.org",
nonce="MTI2MTE2NDI0OCAxMzE5MmUwMjQ5NmRmMjliZTU5NTFjNTc1NTg5OThlNQ==",
opaque="acc85fcea72cd0e4032763ed0c565dbc", qop=auth
The 'qop' field is wrong as it must appear enclosed between doble quotation
("). This is because 'qop' parameter could contain more than one value
separated by space.
In the other hand, the "WWW-Authorization" header sent by the client also
contains a 'qop' parameter but it must not enclose the value between doble
quotation as it just allows a single value.
RFC 2617 (Digest) clearly says that 'qop' value(s) must be enclosed between
":
3.2.1 The WWW-Authenticate Response Header
challenge = "Digest" digest-challenge
digest-challenge = 1#( realm | [ domain ] | nonce |
[ opaque ] |[ stale ] | [ algorithm ] |
[ qop-options ] | [auth-param] )
domain = "domain" "=" <"> URI ( 1*SP URI ) <">
URI = absoluteURI | abs_path
nonce = "nonce" "=" nonce-value
nonce-value = quoted-string
opaque = "opaque" "=" quoted-string
stale = "stale" "=" ( "true" | "false" )
algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" |
token )
qop-options = "qop" "=" <"> 1#qop-value <">
qop-value = "auth" | "auth-int" | token
Note that 'qop-options' is:
qop-options = "qop" "=" <"> 1#qop-value <">
I attach a patch which fixes it (taken from Rack 1.0.1).
In the other hand, "WWW-Authorization" header sent by the client has a
different format for 'qop' parameter (with no quotation and single value):
3.2.2 The Authorization Request Header
credentials = "Digest" digest-response
digest-response = 1#( username | realm | nonce | digest-uri
| response | [ algorithm ] | [cnonce] |
[opaque] | [message-qop] |
[nonce-count] | [auth-param] )
username = "username" "=" username-value
username-value = quoted-string
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1
message-qop = "qop" "=" qop-value
cnonce = "cnonce" "=" cnonce-value
cnonce-value = nonce-value
nonce-count = "nc" "=" nc-value
nc-value = 8LHEX
response = "response" "=" request-digest
request-digest = <"> 32LHEX <">
LHEX = "0" | "1" | "2" | "3" |
"4" | "5" | "6" | "7" |
"8" | "9" | "a" | "b" |
"c" | "d" | "e" | "f"
Note that 'message-qop' is:
message-qop = "qop" "=" qop-value
and 'qop-value' is defined in section 3.2.1 as:
qop-value = "auth" | "auth-int" | token
so it must appear without quotation.
BTW is there a bug tracker for Rack project? or is this maillist the
appropriate place to report bugs?
Regards.
--
Iñaki Baz Castillo <ibc@aliax.net>
[-- Attachment #2: Type: text/html, Size: 5198 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-12-18 22:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-12-18 19:44 "WWW-Authenticate" header generated by Auth::Digest::MD5 is wrong (RFC 2617 BNF) [includes patch] Iñaki Baz Castillo
[not found] ` <5a9d52bd0912181358l2b70346aja65910d636ba185c@mail.gmail.com>
2009-12-18 22:00 ` Scytrin dai Kinthra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).