Subject: | Digest authentication fails with encoded query parameters |
If we try and access a protected resource, /foo/bar?blah=test!,
authenticating works and the resource is delivered. If however we use
/foo/bar?blah=test%21 accessing the resource fails with a 400 and no
body.
This seems to be due to the following:
my $uri = $c->request->uri->path_query;
...
my $check = ($uri eq $res{uri} ||
($self->broken_dotnet_digest_without_query_string
&&
$c->request->uri->path eq $res{uri}))
&& ( exists $res{username} )
&& ( exists $res{qop} )
&& ( exists $res{cnonce} )
&& ( exists $res{nc} )
&& $algorithm eq $nonce->algorithm
&& hex($nonce_count) > hex( $nonce->nonce_count )
&& $res{nonce} eq $nonce->nonce;
$uri = /foo/bar?blah=test!
$res{uri} = /foo/bar?blah=test%21
So $uri != $res{uri}, hence $check is false.