Bug 477891

Summary: Digest authentication failure
Product: [Applications] akregator Reporter: Dan Fandrich <dan>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED UPSTREAM    
Severity: normal CC: montel
Priority: NOR    
Version First Reported In: 5.24.3   
Target Milestone: ---   
Platform: Flatpak   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Dan Fandrich 2023-12-02 07:18:37 UTC 
SUMMARY
Accessing a feed on a lighttpd server protected with HTTP Digest authentication with algorithm=SHA-256 fails with a server error:

mod_auth.c.1334) digest: (a2ca643c55f46828b66002b5bed0e4e0): invalid format

akregator just silently fails to download the feed and shows the name in red.

STEPS TO REPRODUCE
1. Configure a feed served by a lighttpd server protected with SHA-256 Digest authentication
2. Try to "Fetch feed"

OBSERVED RESULT
No feed and a red feed name

EXPECTED RESULT
Feed contents available for browsing

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: 
KDE Frameworks Version: 5.111.0
Qt Version: 5.15.10

ADDITIONAL INFORMATION
The protected RSS feed link can be accessed fine (including authentication) with Firefox, Chrome, curl and xh, so it's unlikely to be a server problem.
Running this from Flatpak will first hit #477889 before it gets to the point where this bug is encountered.
Comment 1 Dan Fandrich 2023-12-02 07:28:11 UTC 
One thing I just noted: the other clients respond with 64 hexadecimal characters (i.e. 256 bits) in the "response" field of the Authorization: header, but akregator responds with 32 hex bytes (i.e. 128 bits). It doesn't look like Akregator is responding properly to an algorithm=SHA-256 authorization.
Comment 2 Laurent Montel 2023-12-02 08:07:10 UTC 
Hi,
Do you have a test server ?
Regards.
Comment 3 Dan Fandrich 2023-12-02 08:32:18 UTC 
Unfortunately, my server isn't public. I could probably come up with a dockerfile to run a local server if you'd like.
Comment 4 Dan Fandrich 2023-12-17 03:50:38 UTC 
I traced the Akregator code and found that it seems to use the QtNetwork classes to perform HTTP requests. I created a standalone Qt application to perform a similar request and discovered that it truncates the response field to 128 bits as well. So, it seems to be a problem in Qt itself (I tried both 5.15.2 and 5.15.7).
Comment 5 Dan Fandrich 2023-12-17 04:06:25 UTC 
For the record, the Qt issue seems to be https://bugreports.qt.io/browse/QTBUG-98280