150392 – RFC2617 headers values qop, algorithm and cnonce must not be quoted

Bug 150392 - RFC2617 headers values qop, algorithm and cnonce must not be quoted

Summary: RFC2617 headers values qop, algorithm and cnonce must not be quoted

Status:	RESOLVED FIXED

Alias:	None

Product:	kio
Classification:	Unmaintained
Component:	http (show other bugs)
Version:	unspecified
Platform:	Compiled Sources Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Unassigned bugs mailing-list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-10-01 23:53 UTC by ingo
Modified:	2010-04-11 09:54 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description ingo 2007-10-01 23:53:42 UTC

Version:            (using KDE Devel)
Installed from:    Compiled sources
Compiler:          gcc 3.4.6 (compiler is irrelevant here)
OS:                Linux

There is a flaw within the digest authentication code. 
Within the response (Proxy-)Authorization, the values of the 
parameters algorithm and qop are quoted. This is against the 
spec. The response value of algorithm and qop are single tokens, 
cf. rfc2617, "3.2.2 The Authorization Request Header" 
 a) the augmented BNF 
 b) 
 ==== 
  qop 
      Indicates what "quality of protection" the client has applied to 
      the message. If present, its value MUST be one of the alternatives 
      the server indicated it supports in the WWW-Authenticate header. 
      These values affect the computation of the request-digest. Note 
      that this is a single token, not a quoted list of alternatives as 
      in WWW- Authenticate. 
 === 
 
 The value of algorithm is a single token in any case, i.e. without quotes 
 (both within request and response, see rfc2617 "3.2.1 The WWW-Authenticate Response Header") 
 NOTE that the quotes within the 
 augmented BNF do NOT belong to the token nor indicate that the token 
 must be enclosed by quotes (see rfc2616, "2.1 Augmented BNF": 
 === 
    "literal" 
       Quotation marks surround literal text. Unless stated otherwise, 
       the text is case-insensitive. 
 === 
 
This flaw is present up to 3.93.0 (e.g. in 3.5.7 too).

I file it as new because the provided patch of relevant bug #58530,
comment #17 has not been incorporated into the codebase yet.

Repatching is trivial. Please incorporate the changes.

Comment 1 Andreas Pakulat 2007-10-17 16:57:04 UTC

SVN commit 726339 by apaku:

Fix typo, patch by Jeremy Laine
BUG:150392


 M  +1 -1      kdevopenwith.desktop  


WebSVN link: http://websvn.kde.org/?view=rev&revision=726339

Comment 2 ingo 2007-12-05 20:12:04 UTC

Unfixed. Still present in kdelibs-3.96.0. Please reopen and fix it.

Comment 3 ingo 2007-12-24 18:57:12 UTC

Unfixed. Still present in kdelibs-3.97.0. Please reopen and fix it.

Comment 4 Dawit Alemayehu 2010-04-11 09:54:27 UTC

SVN commit 1113602 by adawit:

Do not put quotation marks around parameters that were not supposed to
have one in the first place. Fixes a bug first reported 7 years ago ?!? 

BUG: 150392


 M  +4 -5      httpauthentication.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1113602