opendev/gerrit
Code Issues Proposed changes

Only accept auth=qop for digest authentication

Browse Source 
Since we implement the digest authentication process and require
auth=qop in our authorization request from the client, a valid
response must include auth=qop as well.

Change-Id: I2ecd4bc8568ad432ac7f54d82e465be06dc01993
Signed-off-by: Shawn O. Pearce <sop@google.com>
This commit is contained in:
Shawn O. Pearce 2010-12-13 09:29:52 -08:00
parent 9a9d2137e1
commit 4a400e486e
1 changed files with 3 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
gerrit-httpd/src/main/java/com/google/gerrit/httpd/ProjectDigestFilter.java
View File

@ -126,6 +126,7 @@ class ProjectDigestFilter implements Filter {
|| nonce == null //
|| uri == null //
|| response == null //
|| !"auth".equals(qop) //
|| !REALM_NAME.equals(realm)) {
context.log("Invalid header: " + AUTHORIZATION + ": " + hdr);
rsp.sendError(SC_FORBIDDEN);
@ -146,14 +147,8 @@ class ProjectDigestFilter implements Filter {
final String A1 = username + ":" + realm + ":" + passwd;
final String A2 = method + ":" + uri;
final String expect;
if ("auth".equals(qop)) {
expect = KD(H(A1), //
nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + H(A2));
} else {
expect = KD(H(A1), nonce + ":" + H(A2));
}
final String expect =
KD(H(A1), nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + H(A2));
if (expect.equals(response)) {
try {