Closed
Bug 330702
Opened 19 years ago
Closed 19 years ago
Authorization: header missing quotes on qop="auth"
Categories
(Core :: Networking: HTTP, defect)
Core
Networking: HTTP
Tracking
()
RESOLVED
INVALID
People
(Reporter: matthew.van.eerde, Unassigned)
Details
Attachments
(2 files)
5.70 KB,
text/plain
|
Details | |
1.22 KB,
patch
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
I configured an IIS 5 server to require Digest Authentication for a particular area.
IE can connect to all of these pages fine.
Firefox connects to the FIRST page fine. Connecting to any other page results in a server error.
Reproducible: Always
Steps to Reproduce:
1. Configure an IIS 5 server to require Digest Authentication (and ONLY digest authentication) for a particular location.
2. Connect to that location in Internet Explorer. IE will prompt for credentials.
3. Enter appropriate credentials.
4. Notice that the page loads.
5. Hit Refresh.
6. Notice that the page loads successfully.
7. Connect to that location in Firefox. Firefox will prompt for credentials.
8. Enter appropriate credentials.
9. Notice that the page loads.
10. Hit Refresh.
11. Notice the server error: "The network request is not supported."
Actual Results:
Server error: "the network request is not supported"
Expected Results:
200 OK and the page loading successfully
Internet Explorer 7 is going to display a warning message whenever Basic authentication is used on a non-SSL connection. See:
http://blogs.msdn.com/ie/archive/2006/03/15/552246.aspx
This will cause a huge push for site owners to change authentication from Basic to other means, such as Digest.
Therefore I feel severity = major.
Trace of headers available:
http://www.geocities.com/mvaneerde/digest-test.txt
I will attach as soon as the bug is created
Reporter | ||
Comment 1•19 years ago
|
||
This shows the digest conversation for both IE <-> IIS and Firefox <-> IIS. Note the Firefox conversation ends in a "Server Error" but IE just has a string of "OK"s.
Reporter | ||
Comment 2•19 years ago
|
||
Just tested in the latest nightly - problem still occurs.
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060316 Firefox/1.6a1
Reporter | ||
Comment 3•19 years ago
|
||
I've noticed an RFC violation in the Firefox request.... it contains
qop=auth
But RFC2617 says:
If present, [qop's value] is a *quoted string* of one or more tokens...
That is to say, qop="auth" is correct, but qop=auth is not.
Reporter | ||
Comment 4•19 years ago
|
||
Changing summary to update bug problem
OS: Windows 2000 → All
Hardware: PC → All
Summary: HTTP Digest Authentication to IIS 5 fails → Authorization: header missing quotes on qop="auth"
Version: unspecified → Trunk
Reporter | ||
Comment 5•19 years ago
|
||
Patch applies to /mozilla/netwerk/protocol/http/src/nsHttpDigestAuth.cpp
The current code checks to see whether the server is IIS -- if so, it adds the quotes
But according to the RFC the quotes are always mandatory
Reporter | ||
Comment 6•19 years ago
|
||
OK, so that's how to fix it... now here's my guess as to why it behaves the way it does.
On the first request to a page, there's a Response available in the HTTP channel:
C: GET
S: WWW-Authenticate
C: Authorization
So the Response->Server variable is queriable and the quotes are added.
On subsequent requests (for associated content, refreshes, etc.) there is no readily available Response->Server variable. Default behavior takes place, no quotes are added, and IIS CORRECTLY rejects the request.
Updated•19 years ago
|
Component: General → Networking: HTTP
Product: Firefox → Core
QA Contact: general → networking.http
Reporter | ||
Comment 7•19 years ago
|
||
See also bug 141605 and bug 150602
Reporter | ||
Comment 8•19 years ago
|
||
Oops!
It helps to read the entire RFC. The qop rules are different for server-to-client "WWW-Authenticate" headers than they are for client-to-server Authorization headers.
For server-to-client WWW-Authenticate: headers, the rules are:
qop-options = "qop" "=" <"> 1#qop-value <">
qop-value = "auth" | "auth-int" | token
That is to say, quotes are MANDATORY.
On the other hand, for client-to-server Authorization: headers, the rules are:
message-qop = "qop" "=" qop-value
That is to say, quotes are FORBIDDEN.
There are thus three bugs.
* one in IE, for generating the incorrect Authorization: header
* one in IIS, for accepting the incorrect Authorization: header
* another one in IIS, for refusing the correct Authorization: header.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 9•19 years ago
|
||
According to David Wang of Microsoft, the IIS bugs were fixed in IIS 6.0.
Reporter | ||
Comment 10•19 years ago
|
||
I have a support request in to Microsoft for a fix for IIS 5.
Support Request Number - SRZ060321001678
You need to log in
before you can comment on or make changes to this bug.
Description
•