Bug 275307

Summary: Webdav kioslave seems to generate wrong auth digest for PUT
Product: [Unmaintained] kio Reporter: Martin van Es <bugs>
Component: webdavAssignee: kdelibs bugs <kdelibs-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: adawit
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In: 4.7.3
Sentry Crash Report:

Description Martin van Es 2011-06-09 22:18:59 UTC 
Version:           unspecified (using KDE 4.6.3) 
OS:                Linux

I'm testing a php based webdav server and since switching to Digest Authentication I can not PUT to the server anymore. A little debugging of the communication reveals that kio webdav sends a wrong (i.e. different) response than what I calculated ONLY for PUT requests. PROPFIND, GET and MOVE all are OK!

A sample of debug info for a succesful request:

d: Start request: PROPFIND
d: realm: BigDisk.nl
d: uri: /ChangeLog
d: user: test1
d: nonce: 4df0f2c7e4b65
d: nc: 00000001
d: cnonce: miwdGu5UeNcIvJQ5
d: qop: auth
d: A1: c7e777f7df1a4b6d2099c5e025f8a230
d: A2: ea8324189e3f52f5ebcb2474d08ad4fc
d: response: c4847d93a841b7b3883eaf97584956c6
d: vresponse: c4847d93a841b7b3883eaf97584956c6
d: End Request

The A1, A2 and vresponse values are calcalated serverside (test1's password is test1). Given the above realm and other data A2 is trivial. Hence my calculated vresponse and webdav kioslave's response are ok.

But now for a PUT request:

d: Start request: PUT
d: realm: BigDisk.nl
d: uri: /ChangeLog
d: user: test1
d: nonce: 4df0f2c7e4b65
d: nc: 00000001
d: cnonce: miwdGu5UeNcIvJQ5
d: qop: auth
d: A1: c7e777f7df1a4b6d2099c5e025f8a230
d: A2: 78a8a6b7df405601e2539dce0c6d7527
d: response: c4847d93a841b7b3883eaf97584956c6
d: vresponse: b76869374528ba4900255c156244f2f8
d: Invalid response

Webdav kio-slave's response != my calculated vresponse hence the upload fails.

I've skimmed through the sources and can't find a reason why calculateResponse() should be different for PUT. I also tried to guess what went wrong by recalculating the response for variations on data but was not able to reproduce the wrong response.

Reproducible: Always

Steps to Reproduce:
Create a simple Digest Auth server in PHP (see PHP HTTP Auth documentation for Digest Authentication example: http://php.net/manual/en/features.http-auth.php
Add some debug info (write to file) and see the invalid response for PUT requests made in Dolphin.

Actual Results:  
Wrong response digest header for PUT requests

Expected Results:  
Correct response header (b76869374528ba4900255c156244f2f8 in the above result).
Comment 1 Martin van Es 2011-06-10 10:22:57 UTC 
I'm stupified. The internal SabreDAV Digest authentication works for PUT but I can't find the difference in response calculation :/
Comment 2 Martin van Es 2011-06-10 11:16:14 UTC 
I switched to SabreDAV's built-int Digest Auth methods and all works like a charm. Regard this bug invalid.
Comment 3 Martin van Es 2011-06-16 11:11:41 UTC 
After a little inspection on the wire I now know why SabreDav's Digest implementation works: it simply sends a 401 (Unauthorized) on the first PUT attempt after which kio-webdav retries with a correct digest.

In a staged test environment I can reproduce the bug easily:

kio webdav sends this digest on first PUT:
Digest username=\"test1\", realm=\"BigDisk.nl\", nonce=\"4df9c200e8eb5\", uri=\"/test\", algorithm=MD5, qop=auth, cnonce=\"aD7YZtDC7CvnSLsW\", nc=00000001, response=\"7f97744c1fae242c0cc62b4c3efcb6d1\", opaque=\"df58bdff8cf60599c939187d0b5c54de\"

Which receives a 401, because it actually is wrong (password for user test1 is test1)

Then it resends the complete PUT using the following digest:
Digest username=\"test1\", realm=\"BigDisk.nl\", nonce=\"4df9c225e8519\", uri=\"/test\", algorithm=MD5, qop=auth, cnonce=\"qzssX6cI9Moj0Ila\", nc=00000001, response=\"b609e911ea3c508baccc9cee78e5262e\", opaque=\"df58bdff8cf60599c939187d0b5c54de\"

Which succeeds because it validates correct (same password).

The problem is that kio-webdav sends the complete PUT body containing all data twice, which may result in in severe upload delays for big files.
Comment 4 Dawit Alemayehu 2011-10-23 08:32:47 UTC 
Git commit 27973cd73a614aa0df298676efb3c6fb53a2d378 by Dawit Alemayehu.
Committed on 23/10/2011 at 10:24.
Pushed by adawit into branch 'KDE/4.7'.

When uploading a file to a WebDAV server, regenrate the authentication header
after doing the stat

BUG: 275307
FIXED-IN: 4.7.3

M  +3    -0    kioslave/http/http.cpp

http://commits.kde.org/kdelibs/27973cd73a614aa0df298676efb3c6fb53a2d378