SourceForge has been redesigned. Learn more.

#36 HttpDigest authentication patch

zsi (12)

The HTTP Digest authentication (see patch 1291199) has
some bugs that prevent it from proper working, e.g with
apache2 web server.

This is a patch for Bug with Request ID 1593310

The patch was done compared to SVN trunk, revision 1298
from 09 Nov 2006

What was changed:
- uri in digest authentication header is not complete
uri, but only directory on server ("/" as default)

- digest authentication header in server response
(Err 401) is parsed correctly, which allows e.g. white
spaces inside quotes


  • Martin Dittmar

    Martin Dittmar - 2006-11-09

    The complete patched file

  • Joshua Boverhof

    Joshua Boverhof - 2007-01-25
    • assigned_to: nobody --> boverhof
    • status: open --> open-accepted
  • Joshua Boverhof

    Joshua Boverhof - 2007-01-25

    Logged In: YES
    Originator: NO

    Investigation of request-uri

    credentials = "Digest" digest-response
    digest-response = 1#( username | realm | nonce | digest-uri
    | response | [ algorithm ] | [cnonce] |
    [opaque] | [message-qop] |
    [nonce-count] | [auth-param] )

    digest-uri = "uri" "=" digest-uri-value
    digest-uri-value = request-uri ; As specified by HTTP/1.1 Various considerations

    The "Method" value is the HTTP request method as specified in section
    5.1.1 of [2]. The "request-uri" value is the Request-URI from the
    request line as specified in section 5.1.2 of [2]. This may be "*",
    an "absoluteURL" or an "abs_path" as specified in section 5.1.2 of
    [2], but it MUST agree with the Request-URI. In particular, it MUST
    be an "absoluteURL" if the Request-URI is an "absoluteURL".

    Request-URI = "*" | absoluteURI | abs_path | authority

    And it gives two examples, which request the same page with different "Request-URI"'s

    GET HTTP/1.1

    GET /pub/WWW/TheProject.html HTTP/1.1

    So this is the wrong place to fix this bug

    I fixed it in the "" code:

    $ svn diff
    --- (revision 1322)
    +++ (working copy)
    @@ -273,8 +273,8 @@
    print >>self.trace, soapdata

    #scheme,netloc,path,nil,nil,nil = urlparse.urlparse(url)
    - path = _get_postvalue_from_absoluteURI(url)
    - self.h.putrequest("POST", path)
    + request_uri = _get_postvalue_from_absoluteURI(url)
    + self.h.putrequest("POST", request_uri)
    self.h.putheader("Content-Length", "%d" % len(soapdata))
    self.h.putheader("Content-Type", 'text/xml; charset=utf-8')
    @@ -291,7 +291,7 @@
    elif self.auth_style == AUTH.httpdigest and not headers.has_key('Authorization') \ and not headers.has_key('Expect'):
    def digest_auth_cb(response):
    - self.SendSOAPDataHTTPDigestAuth(response, soapdata, url, soapaction, **kw)
    + self.SendSOAPDataHTTPDigestAuth(response, soapdata, request_uri, soapaction, **kw)
    self.http_callbacks[401] = None
    self.http_callbacks[401] = digest_auth_cb

  • Joshua Boverhof

    Joshua Boverhof - 2007-01-25
    • status: open-accepted --> pending-accepted
  • Joshua Boverhof

    Joshua Boverhof - 2007-01-25

    Logged In: YES
    Originator: NO

    Investigation of challenge dict:

    I created a unittest from rfc2617 to demonstrate what I believe is correct behavior, I think you demonstrated that fetch_challenge is incomplete. However I think the patch you provided here is lacking because it doesn't ignore whitespace in some cases, so I rewrote it using re.

    Please verify that this is working in branch:
    svn co


    Basic realm="WallyWorld"

    CORRECT: {'challenge': 'Basic', 'realm': 'WallyWorld'}
    PATCH: {'challenge': 'Basic', 'realm': 'WallyWorld'}
    OLD: {'challenge': 'Basic', 'realm': 'WallyWorld'}
    Basic realm="Wally World"
    CORRECT: {'challenge': 'Basic', 'realm': 'Wally World'}
    PATCH: {'challenge': 'Basic', 'realm': 'Wally World'}
    OLD: {'challenge': 'Basic', 'realm': 'Wally'}
    CORRECT: {'nonce': 'dcd98b7102dd2f0e8b11d0f600bfb0c093', 'challenge': 'Digest', 'opaque': '5ccc069c403ebaf9f0171e9517f40e41', 'realm': '', 'qop': 'auth,auth-int'}
    PATCH: {'nonce': 'dcd98b7102dd2f0e8b11d0f600bfb0c093', 'challenge': 'Digest\n', 'opaque': '5ccc069c403ebaf9f0171e9517f40e41', 'realm': '', 'qop': 'auth,auth-int'}
    OLD: {'nonce': 'dcd98b7102dd2f0e8b11d0f600bfb0c093\n', 'challenge': 'Digest\n', 'opaque': '5ccc069c403ebaf9f0171e9517f40e41', 'realm': '\n', 'qop': 'authauth-int\n'}

  • SourceForge Robot

    • status: pending-accepted --> closed-accepted
  • SourceForge Robot

    Logged In: YES
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).


Log in to post a comment.