[
https://issues.apache.org/jira/browse/SERF-207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18011988#comment-18011988
]
Branko Čibej commented on SERF-207:
-----------------------------------
The updated [patch v2|^SERF-207.2.patch] applies to the {{user-defined-authn}}
branch.
> Digest authn provider should verify received parameters.
> --------------------------------------------------------
>
> Key: SERF-207
> URL: https://issues.apache.org/jira/browse/SERF-207
> Project: serf
> Issue Type: Improvement
> Affects Versions: serf-1.4.0, serf-trunk, serf-1.3.10
> Reporter: Branko Čibej
> Assignee: Branko Čibej
> Priority: Minor
> Attachments: SERF-207.2.patch, SERF-207.patch
>
>
> The Digest authentication scheme supports only {{algorithm=MD5}} and
> {{qop=auth}} parameters. This is equivalent to what's supported by HTTPd's
> {{mod_auth_digest}}, so feature-wise that's fine.
> However, the code never checks those parameters in the response header and
> just blindly generates an authn response using those assumed values. If those
> parameters are different, the authentication will fail in any case, but we
> could avoid one roundtrip with a weakly-hashed password by checking the
> parameter values and failing early.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
