Skip Menu |

This queue is for tickets about the Catalyst-Plugin-Authentication CPAN distribution.

Report information
The Basics
Id: 78404
Status: open
Priority: 0/
Queue: Catalyst-Plugin-Authentication

People
Owner: Nobody in particular
Requestors: CYCLES [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Digest authentication fails with encoded query parameters
If we try and access a protected resource, /foo/bar?blah=test!, authenticating works and the resource is delivered. If however we use /foo/bar?blah=test%21 accessing the resource fails with a 400 and no body. This seems to be due to the following: my $uri = $c->request->uri->path_query; ... my $check = ($uri eq $res{uri} || ($self->broken_dotnet_digest_without_query_string && $c->request->uri->path eq $res{uri})) && ( exists $res{username} ) && ( exists $res{qop} ) && ( exists $res{cnonce} ) && ( exists $res{nc} ) && $algorithm eq $nonce->algorithm && hex($nonce_count) > hex( $nonce->nonce_count ) && $res{nonce} eq $nonce->nonce; $uri = /foo/bar?blah=test! $res{uri} = /foo/bar?blah=test%21 So $uri != $res{uri}, hence $check is false.
Hmm, I'm not totally sure which side is doing the correct / wrong thing here. (I.e. I'm unsure if we should be decoding stuff before testing, or encoding it). Either way, I'm unlikely to have time to look at this very soon, but I'd be very welcoming of a patch with some tests for encoded and unencoded query params in digest auth, and a fix for same.