#801 Digest authentication fails if realm contains quotes

closed-fixed
http (201)
5
2013-06-21
2009-01-25
Alexey Borzov
No

If "realm" parameter in digest authentication challenge contains (escaped) quotes, curl fails to parse that and consequently fails to authenticate.

Note that value for realm parameter is defined in RFC 2617 as quoted-string, which is in turn defined in RFC 2616 as
quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
qdtext = <any TEXT except <">>
quoted-pair = "\" CHAR

so such a value for realm is perfectly valid (and allowed by e.g. Apache)

-------------------------------------------------

C:\web\curl-7.19.3>curl --digest -u "foo:bar" -v http://127.0.0.1/digest/
* About to connect() to 127.0.0.1 port 80 (#0)
* Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
* Server auth using Digest with user 'foo'
> GET /digest/ HTTP/1.1
> User-Agent: curl/7.19.3 (i586-pc-mingw32msvc) libcurl/7.19.3 zlib/1.2.3
> Host: 127.0.0.1
> Accept: */*
>
< HTTP/1.1 401 Authorization Required
< Date: Sun, 25 Jan 2009 13:53:59 GMT
< Server: Apache/2.0.63 (Win32) PHP/5.2.5
* Authentication problem. Ignoring this.
< WWW-Authenticate: Digest realm="Weird \"realm\" for digest", nonce="+Fs/9E5hBAA=e30cfaf462aa82efc0f13e4f6b0bb615390fa4
fd", algorithm=MD5, qop="auth"
< Content-Length: 485
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.0.63 (Win32) PHP/5.2.5 Server at 127.0.0.1 Port 80</address>
</body></html>
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0

Discussion

  • Thanks for the report, this problem is now fixed in CVS!

     
    • status: open --> closed-fixed