Closed Bug 150602 Opened 23 years ago Closed 23 years ago

digest authentication problem: bad format of Authorization header [add special-case support for broken server]

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 141605
Milestone:
Future

People

(Reporter: shibkov, Assigned: jab)

References

(
URL
)

Details

From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) BuildID: 2002053012 Mozilla writes qop parameter of digest Authorisation header incorrectly This is an example of Authorisation header(by Mozilla): Authorization: Digest username="uja", realm="Secret", nonce="KgAAAAAAAAA=e224d651e32853364cd53a26601b04565375677f", uri="/", algorithm=MD5, response="916a1088dd596d8e20f24f56a1014ce3", qop=auth, nc=00000001, cnonce="082c875dcb2ca740" As you can see the valau of parameter qop is not quoted qop=auth But in accordance with RFC2617 it must be quote. It must be: qop="auth" So IIS 5.0 replies error 500. By the way IIS implementation is not correct to. But it's off topic. Reproducible: Always Steps to Reproduce: 1. Set digest scheme in a server (e.g. Apache) 2. Make any request with Mozilla 3. Sniff traffic and read it Actual Results: Athorization header of request is: Authorization: Digest username="uja", realm="Secret", nonce="KgAAAAAAAAA=e224d651e32853364cd53a26601b04565375677f", uri="/", algorithm=MD5, response="916a1088dd596d8e20f24f56a1014ce3", qop=auth, nc=00000001, cnonce="082c875dcb2ca740" Expected Results: It must be: Authorization: Digest username="uja", realm="Secret", nonce="KgAAAAAAAAA=e224d651e32853364cd53a26601b04565375677f", uri="/", algorithm=MD5, response="916a1088dd596d8e20f24f56a1014ce3", qop="auth", nc=00000001, cnonce="082c875dcb2ca740"
error from bug 15860's landing, the fix is easy.
Assignee: darin → jab
Actually, according to RFC2617 (page 10, section 3.2.2), the qop-value in message-qop of the Authorization header is not quoted. Note that the qop-value in the qop-options of the Authenticate header _is_ quoted (page 7, section 3.2.1), and the reason is that in the Authenticate header there might be more than one qop-value, so it has to be quoted there. IIRC, this has been discussed before, and the conclusion was that we can add special-case support for broken server implementation later. Maybe now it's time to do that?
Summary: digest authentication problem: bad format of Authorization header → digest authentication problem: bad format of Authorization header [add special-case support for broken server]
Target Milestone: --- → Future
This seems to be a duplicate of bug 141605.
agreed. marking as dup of bug 141605 *** This bug has been marked as a duplicate of 141605 ***
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Verified duplicate.
Status: RESOLVED → VERIFIED
QA Contact: tever → junruh
You need to log in before you can comment on or make changes to this bug.