[
https://issues.apache.org/jira/browse/SERF-207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Branko Čibej reassigned SERF-207:
---------------------------------
Assignee: (was: Branko Čibej)
> Digest authn provider should verify received parameters.
> --------------------------------------------------------
>
> Key: SERF-207
> URL: https://issues.apache.org/jira/browse/SERF-207
> Project: serf
> Issue Type: Improvement
> Affects Versions: serf-1.4.0, serf-trunk, serf-1.3.10
> Reporter: Branko Čibej
> Priority: Minor
> Fix For: serf-trunk
>
> Attachments: SERF-207.2.patch, SERF-207.patch
>
>
> The Digest authentication scheme supports only {{algorithm=MD5}} and
> {{qop=auth}} parameters. This is equivalent to what's supported by HTTPd's
> {{mod_auth_digest}}, so feature-wise that's fine.
> However, the code never checks those parameters in the response header and
> just blindly generates an authn response using those assumed values. If those
> parameters are different, the authentication will fail in any case, but we
> could avoid one roundtrip with a weakly-hashed password by checking the
> parameter values and failing early.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
