Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#36 HttpDigest authentication patch

closed-accepted
zsi (12)
5
2007-02-09
2006-11-09
Martin Dittmar
No

The HTTP Digest authentication (see patch 1291199) has
some bugs that prevent it from proper working, e.g with
apache2 web server.

This is a patch for Bug with Request ID 1593310
(http://sourceforge.net/tracker/index.php?func=detail&aid=1593310&group_id=26590&atid=387667)

The patch was done compared to SVN trunk, revision 1298
from 09 Nov 2006

What was changed:
- uri in digest authentication header is not complete
uri, but only directory on server ("/" as default)

- digest authentication header in server response
(Err 401) is parsed correctly, which allows e.g. white
spaces inside quotes

Discussion

  • Martin Dittmar
    Martin Dittmar
    2006-11-09

    Patch for figest_auth.py

     
  • Martin Dittmar
    Martin Dittmar
    2006-11-09

    The complete patched file

     
    Attachments
    • assigned_to: nobody --> boverhof
    • status: open --> open-accepted
     
  • Logged In: YES
    user_id=711996
    Originator: NO

    Investigation of request-uri

    http://www.ietf.org/rfc/rfc2617.txt

    credentials = "Digest" digest-response
    digest-response = 1#( username | realm | nonce | digest-uri
    | response | [ algorithm ] | [cnonce] |
    [opaque] | [message-qop] |
    [nonce-count] | [auth-param] )

    digest-uri = "uri" "=" digest-uri-value
    digest-uri-value = request-uri ; As specified by HTTP/1.1

    3.2.2.5 Various considerations

    The "Method" value is the HTTP request method as specified in section
    5.1.1 of [2]. The "request-uri" value is the Request-URI from the
    request line as specified in section 5.1.2 of [2]. This may be "*",
    an "absoluteURL" or an "abs_path" as specified in section 5.1.2 of
    [2], but it MUST agree with the Request-URI. In particular, it MUST
    be an "absoluteURL" if the Request-URI is an "absoluteURL".

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.2

    Request-URI = "*" | absoluteURI | abs_path | authority

    And it gives two examples, which request the same page with different "Request-URI"'s

    GET http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1

    GET /pub/WWW/TheProject.html HTTP/1.1
    Host: www.w3.org

    So this is the wrong place to fix this bug

    I fixed it in the "client.py" code:

    $ svn diff client.py
    Index: client.py
    ===================================================================
    --- client.py (revision 1322)
    +++ client.py (working copy)
    @@ -273,8 +273,8 @@
    print >>self.trace, soapdata

    #scheme,netloc,path,nil,nil,nil = urlparse.urlparse(url)
    - path = _get_postvalue_from_absoluteURI(url)
    - self.h.putrequest("POST", path)
    + request_uri = _get_postvalue_from_absoluteURI(url)
    + self.h.putrequest("POST", request_uri)
    self.h.putheader("Content-Length", "%d" % len(soapdata))
    self.h.putheader("Content-Type", 'text/xml; charset=utf-8')
    self.__addcookies()
    @@ -291,7 +291,7 @@
    elif self.auth_style == AUTH.httpdigest and not headers.has_key('Authorization') \ and not headers.has_key('Expect'):
    def digest_auth_cb(response):
    - self.SendSOAPDataHTTPDigestAuth(response, soapdata, url, soapaction, **kw)
    + self.SendSOAPDataHTTPDigestAuth(response, soapdata, request_uri, soapaction, **kw)
    self.http_callbacks[401] = None
    self.http_callbacks[401] = digest_auth_cb

     
    • status: open-accepted --> pending-accepted
     
  • Logged In: YES
    user_id=711996
    Originator: NO

    Investigation of challenge dict:

    I created a unittest from rfc2617 to demonstrate what I believe is correct behavior, I think you demonstrated that fetch_challenge is incomplete. However I think the patch you provided here is lacking because it doesn't ignore whitespace in some cases, so I rewrote it using re.

    Please verify that this is working in branch:
    svn co https://pywebsvcs.svn.sourceforge.net/svnroot/pywebsvcs/branches/ZSI_v2_0_0

    python test_digest_auth.py

    Basic realm="WallyWorld"

    CORRECT: {'challenge': 'Basic', 'realm': 'WallyWorld'}
    PATCH: {'challenge': 'Basic', 'realm': 'WallyWorld'}
    OLD: {'challenge': 'Basic', 'realm': 'WallyWorld'}
    .============================================================
    Basic realm="Wally World"
    ============================================================
    CORRECT: {'challenge': 'Basic', 'realm': 'Wally World'}
    PATCH: {'challenge': 'Basic', 'realm': 'Wally World'}
    OLD: {'challenge': 'Basic', 'realm': 'Wally'}
    .============================================================
    Digest
    realm="testrealm@host.com",
    qop="auth,auth-int",
    nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
    opaque="5ccc069c403ebaf9f0171e9517f40e41"
    ============================================================
    CORRECT: {'nonce': 'dcd98b7102dd2f0e8b11d0f600bfb0c093', 'challenge': 'Digest', 'opaque': '5ccc069c403ebaf9f0171e9517f40e41', 'realm': 'testrealm@host.com', 'qop': 'auth,auth-int'}
    PATCH: {'nonce': 'dcd98b7102dd2f0e8b11d0f600bfb0c093', 'challenge': 'Digest\n', 'opaque': '5ccc069c403ebaf9f0171e9517f40e41', 'realm': 'testrealm@host.com', 'qop': 'auth,auth-int'}
    OLD: {'nonce': 'dcd98b7102dd2f0e8b11d0f600bfb0c093\n', 'challenge': 'Digest\n', 'opaque': '5ccc069c403ebaf9f0171e9517f40e41', 'realm': 'testrealm@host.com\n', 'qop': 'authauth-int\n'}
    .

     
    • status: pending-accepted --> closed-accepted
     
  • Logged In: YES
    user_id=1312539
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).