Only accept auth=qop for digest authentication
Since we implement the digest authentication process and require auth=qop in our authorization request from the client, a valid response must include auth=qop as well. Change-Id: I2ecd4bc8568ad432ac7f54d82e465be06dc01993 Signed-off-by: Shawn O. Pearce <sop@google.com>
This commit is contained in:
parent
9a9d2137e1
commit
4a400e486e
@ -126,6 +126,7 @@ class ProjectDigestFilter implements Filter {
|
||||
|| nonce == null //
|
||||
|| uri == null //
|
||||
|| response == null //
|
||||
|| !"auth".equals(qop) //
|
||||
|| !REALM_NAME.equals(realm)) {
|
||||
context.log("Invalid header: " + AUTHORIZATION + ": " + hdr);
|
||||
rsp.sendError(SC_FORBIDDEN);
|
||||
@ -146,14 +147,8 @@ class ProjectDigestFilter implements Filter {
|
||||
|
||||
final String A1 = username + ":" + realm + ":" + passwd;
|
||||
final String A2 = method + ":" + uri;
|
||||
|
||||
final String expect;
|
||||
if ("auth".equals(qop)) {
|
||||
expect = KD(H(A1), //
|
||||
nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + H(A2));
|
||||
} else {
|
||||
expect = KD(H(A1), nonce + ":" + H(A2));
|
||||
}
|
||||
final String expect =
|
||||
KD(H(A1), nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + H(A2));
|
||||
|
||||
if (expect.equals(response)) {
|
||||
try {
|
||||
|
Loading…
Reference in New Issue
Block a user