generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

digest: fix CURLAUTH_DIGEST_IE

Browse Source 
The URI that is passed in as part of the Authorization: header needs to
be cut off at '?' if CURLAUTH_DIGEST_IE is set. Previously the code only
did when calculating the MD5sum.

Bug: http://curl.haxx.se/bug/view.cgi?id=1308
Patched-by: Sergey Tatarincev
This commit is contained in:
Daniel Stenberg
2013-12-04 23:08:17 +01:00
parent 1cf71bd76e
commit ef118c13ba
1 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
lib/http_digest.c
View File

@@ -302,6 +302,7 @@ CURLcode Curl_output_digest(struct connectdata *conn,
/* We have a Digest setup for this, use it! Now, to get all the details for /* We have a Digest setup for this, use it! Now, to get all the details for
this sorted out, I must urge you dear friend to read up on the RFC2617 this sorted out, I must urge you dear friend to read up on the RFC2617
section 3.2.2, */ section 3.2.2, */
size_t urilen;
unsigned char md5buf[16]; /* 16 bytes/128 bits */ unsigned char md5buf[16]; /* 16 bytes/128 bits */
unsigned char request_digest[33]; unsigned char request_digest[33];
unsigned char *md5this; unsigned char *md5this;
@@ -436,13 +437,13 @@ CURLcode Curl_output_digest(struct connectdata *conn,
Further details on Digest implementation differences: Further details on Digest implementation differences:
http://www.fngtps.com/2006/09/http-authentication http://www.fngtps.com/2006/09/http-authentication
*/ */
if(authp->iestyle && ((tmp = strchr((char *)uripath, '?')) != NULL)) {
md5this = (unsigned char *)aprintf("%s:%.*s", request, if(authp->iestyle && ((tmp = strchr((char *)uripath, '?')) != NULL))
curlx_sztosi(tmp - (char *)uripath), urilen = tmp - (char *)uripath;
uripath);
}
else else
md5this = (unsigned char *)aprintf("%s:%s", request, uripath); urilen = strlen((char *)uripath);
md5this = (unsigned char *)aprintf("%s:%.*s", request, urilen, uripath);
if(d->qop && Curl_raw_equal(d->qop, "auth-int")) { if(d->qop && Curl_raw_equal(d->qop, "auth-int")) {
/* We don't support auth-int for PUT or POST at the moment. /* We don't support auth-int for PUT or POST at the moment.
@@ -507,7 +508,7 @@ CURLcode Curl_output_digest(struct connectdata *conn,
"username=\"%s\", " "username=\"%s\", "
"realm=\"%s\", " "realm=\"%s\", "
"nonce=\"%s\", " "nonce=\"%s\", "
"uri=\"%s\", " "uri=\"%.*s\", "
"cnonce=\"%s\", " "cnonce=\"%s\", "
"nc=%08x, " "nc=%08x, "
"qop=%s, " "qop=%s, "
@@ -516,7 +517,7 @@ CURLcode Curl_output_digest(struct connectdata *conn,
userp_quoted, userp_quoted,
d->realm, d->realm,
d->nonce, d->nonce,
uripath, /* this is the PATH part of the URL */ urilen, uripath, /* this is the PATH part of the URL */
d->cnonce, d->cnonce,
d->nc, d->nc,
d->qop, d->qop,
@@ -533,13 +534,13 @@ CURLcode Curl_output_digest(struct connectdata *conn,
"username=\"%s\", " "username=\"%s\", "
"realm=\"%s\", " "realm=\"%s\", "
"nonce=\"%s\", " "nonce=\"%s\", "
"uri=\"%s\", " "uri=\"%.*s\", "
"response=\"%s\"", "response=\"%s\"",
proxy?"Proxy-":"", proxy?"Proxy-":"",
userp_quoted, userp_quoted,
d->realm, d->realm,
d->nonce, d->nonce,
uripath, /* this is the PATH part of the URL */ urilen, uripath, /* this is the PATH part of the URL */
request_digest); request_digest);
} }
Curl_safefree(userp_quoted); Curl_safefree(userp_quoted);