Curl does not parse correctly the "qop=" parameter of Digest authentication #9264
Assignees
Labels
Comments
bagder
added a commit
that referenced
this issue
Aug 7, 2022
When parsing the "qop=" parameter of the digest authentication, and the value is provided within quotes, the list of values can have leading white space which the parser previously did not handle correctly. Add test case 388 to verify. Reported-by: vlubart on github Fixes #9264 Closes #
|
Thanks for the quick resolution! When a release with this fix can be expected ? |
|
This fix will be included in the next release. 7.85.0 is expected to ship on August 31. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When parsing the "qop=" parameter of the digest authentication Curl uses “,” delimiter. See function auth_digest_get_qop_values() in
curl/lib/vauth/digest.c
Line 235 in 40b6206
token = strtok_r(tmp, ",", &tok_buf);
The same at
curl/lib/vauth/digest.c
Line 244 in 40b6206
According to RFC https://www.ietf.org/rfc/rfc7616.html the qop delimiter can actually include a whitespace , as in the example that appears in the RFC :
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm="http-auth@example.org",
qop="auth, auth-int",
(comma-whitespace instead of just comma)
In this case Curl would wrongly parse a token " auth-int" (with leading whitespace) instead of just "auth-int".
Found on Ubuntu 21.04
The text was updated successfully, but these errors were encountered: