Skip Menu |

This queue is for tickets about the Catalyst-Authentication-Credential-HTTP CPAN distribution.

Report information
The Basics
Id: 84789
Status: new
Priority: 0/
Queue: Catalyst-Authentication-Credential-HTTP

People
Owner: Nobody in particular
Requestors: bitcard [...] JonnyJD.net
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 1.015
Fixed in: (no value)



Subject: [PATCH] 400 Error on Digest Auth using python urllib over Proxy
Python's urllib uses an absoluteURI in the Digest header when talking to a proxy. This absoluteURI is not accepted by Catalyst and the request always fails with a 400 status code without even checking the user/password. This surfaced against the MusicBrainz server, using Catalyst for the Digest handling: http://tickets.musicbrainz.org/browse/MBS-6185 There are also complete headers available for a test with and without a proxy in between. Additionally there is a test available. You don't need actual MusicBrainz usernames for the test. "test123:123" works fine, since the 400 error occurs even before checking the user/password. Not all clients use an absoluteURI in the digest header, but python's urllib does this. There is a report for python for quite some time and the decision is, that what urllib does is fine according to the RFCs. The absoluteURI should be handled by the server: http://bugs.python.org/issue4140 I have a patch ready which I will submit after the ticket is open (referencing the ticket). Additional info: perl 5.14.2 Ubuntu Linux with 3.2.0 kernel
From: bitcard [...] JonnyJD.net
This is the proposed patch that uses the canonical uri (in addition to the other check possibilites). This fixes my problem. No 400 Error anymore and when the user/password is correct I can submit things fine (200 status).
Subject: 0001-84789-allow-absoluteURI-in-digest-uri-header.patch
From 77a1d955b6152b955707f035d82f6e7ae942db16 Mon Sep 17 00:00:00 2001 From: Johannes Dewender <cpan@JonnyJD.net> Date: Mon, 22 Apr 2013 15:42:15 +0000 Subject: [PATCH] 84789: allow absoluteURI in digest uri header The "uri" part of the digest Authorization header part can contain a complete absoluteURI, including server, port and protocol. Python's urllib does that when talking to a proxy in between. So we also allow "uri" to be the canonical uri. --- lib/Catalyst/Authentication/Credential/HTTP.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/Catalyst/Authentication/Credential/HTTP.pm b/lib/Catalyst/Authentication/Credential/HTTP.pm index e9804d9..6eff75e 100644 --- a/lib/Catalyst/Authentication/Credential/HTTP.pm +++ b/lib/Catalyst/Authentication/Credential/HTTP.pm @@ -130,8 +130,9 @@ sub authenticate_digest { my $uri = $c->request->uri->path_query; my $algorithm = $res{algorithm} || 'MD5'; my $nonce_count = '0x' . $res{nc}; + my $canon_uri = $c->request->uri->canonical; - my $check = ($uri eq $res{uri} || + my $check = ($uri eq $res{uri} || $canon_uri eq $res{uri} || ($self->broken_dotnet_digest_without_query_string && $c->request->uri->path eq $res{uri})) && ( exists $res{username} ) -- 1.7.9.5