Skip Menu |

This queue is for tickets about the Catalyst-Plugin-Authentication CPAN distribution.

Report information
The Basics
Id: 78404
Status: open
Priority: 0/
Queue: Catalyst-Plugin-Authentication
People
Owner: Nobody in particular
Requestors: CYCLES [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Jul 16 11:30:20 2012 CYCLES [...] cpan.org - Ticket created
Subject: Digest authentication fails with encoded query parameters
If we try and access a protected resource, /foo/bar?blah=test!, authenticating works and the resource is delivered. If however we use /foo/bar?blah=test%21 accessing the resource fails with a 400 and no body. This seems to be due to the following: my $uri = $c->request->uri->path_query; ... my $check = ($uri eq $res{uri} || ($self->broken_dotnet_digest_without_query_string && $c->request->uri->path eq $res{uri})) && ( exists $res{username} ) && ( exists $res{qop} ) && ( exists $res{cnonce} ) && ( exists $res{nc} ) && $algorithm eq $nonce->algorithm && hex($nonce_count) > hex( $nonce->nonce_count ) && $res{nonce} eq $nonce->nonce; $uri = /foo/bar?blah=test! $res{uri} = /foo/bar?blah=test%21 So $uri != $res{uri}, hence $check is false.
  Wed Jul 18 15:16:49 2012 bobtfish [...] bobtfish.net - Correspondence added
Hmm, I'm not totally sure which side is doing the correct / wrong thing here. (I.e. I'm unsure if we should be decoding stuff before testing, or encoding it). Either way, I'm unlikely to have time to look at this very soon, but I'd be very welcoming of a patch with some tests for encoded and unencoded query params in digest auth, and a fix for same.
  Wed Jul 18 15:16:52 2012 The RT System itself - Status changed from 'new' to 'open'