#801 Digest authentication fails if realm contains quotes

http (206)

If "realm" parameter in digest authentication challenge contains (escaped) quotes, curl fails to parse that and consequently fails to authenticate.

Note that value for realm parameter is defined in RFC 2617 as quoted-string, which is in turn defined in RFC 2616 as
quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
qdtext = <any TEXT except <">>
quoted-pair = "\" CHAR

so such a value for realm is perfectly valid (and allowed by e.g. Apache)


C:\web\curl-7.19.3>curl --digest -u "foo:bar" -v
* About to connect() to port 80 (#0)
* Trying connected
* Connected to ( port 80 (#0)
* Server auth using Digest with user 'foo'
> GET /digest/ HTTP/1.1
> User-Agent: curl/7.19.3 (i586-pc-mingw32msvc) libcurl/7.19.3 zlib/1.2.3
> Host:
> Accept: */*
< HTTP/1.1 401 Authorization Required
< Date: Sun, 25 Jan 2009 13:53:59 GMT
< Server: Apache/2.0.63 (Win32) PHP/5.2.5
* Authentication problem. Ignoring this.
< WWW-Authenticate: Digest realm="Weird \"realm\" for digest", nonce="+Fs/9E5hBAA=e30cfaf462aa82efc0f13e4f6b0bb615390fa4
fd", algorithm=MD5, qop="auth"
< Content-Length: 485
< Content-Type: text/html; charset=iso-8859-1
<title>401 Authorization Required</title>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<address>Apache/2.0.63 (Win32) PHP/5.2.5 Server at Port 80</address>
* Connection #0 to host left intact
* Closing connection #0


  • Daniel Stenberg

    Daniel Stenberg - 2009-01-26

    Thanks for the report, this problem is now fixed in CVS!

  • Daniel Stenberg

    Daniel Stenberg - 2009-01-26
    • status: open --> closed-fixed

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks