Bug#974572: libwww-perl: LWP::UserAgent Authen Digest POST message-digest broken/ineffective

Florian Lohoff f at zz.de
Thu Nov 12 12:23:29 GMT 2020 

Package: libwww-perl
Version: 6.36-2
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,
while implementing Digest Auth for AnyEvent::HTTP i found an issue in
LWP::UserAgent Digest Authen. The whole code for creating the
"message-digest" is broken/ineffective as there seems to be a stray
md5->reset:

/usr/share/perl5/LWP/Authen/Digest.pm

 50     if($request->method =~ /^(?:POST|PUT)$/) {
 51         $md5->add($request->content);
 52         my $content = $md5->hexdigest;
 53         $md5->reset;
 54         $md5->add(join(":", @digest[0..1], $content));
 55         $md5->reset;
 56         $resp{"message-digest"} = $md5->hexdigest;
 57         push(@order, "message-digest");
 58     }


As the md5 object is beeing reset before the md5->hexdigest is beeing
extracted it will always return the md5 null value hexdigest:

flo at p4:~$ perl -MDigest::MD5 -e '$m=new Digest::MD5; print "Init  " . $m->hexdigest() . "\n"; $m->add("Foo"); print "Foo   " . $m->hexdigest() . "\n"; $m->reset(); print "Reset " . $m->hexdigest . "\n";'
Init  d41d8cd98f00b204e9800998ecf8427e
Foo   1356c67d7ad1638d816bfb822dd2c25d
Reset d41d8cd98f00b204e9800998ecf8427e

I also failed to find the corresponding RFC describing the message-digest auth request field.

Flo


- -- System Information:
Debian Release: 10.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.8.0-0.bpo.2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libwww-perl depends on:
ii  ca-certificates             20200601~deb10u1
ii  libencode-locale-perl       1.05-1
ii  libfile-listing-perl        6.04-1
ii  libhtml-parser-perl         3.72-3+b3
ii  libhtml-tagset-perl         3.20-3
ii  libhtml-tree-perl           5.07-2
ii  libhttp-cookies-perl        6.04-1
ii  libhttp-date-perl           6.02-1
ii  libhttp-message-perl        6.18-1
ii  libhttp-negotiate-perl      6.01-1
ii  liblwp-mediatypes-perl      6.02-1
ii  liblwp-protocol-https-perl  6.07-2
ii  libnet-http-perl            6.18-1
ii  libtry-tiny-perl            0.30-1
ii  liburi-perl                 1.76-1
ii  libwww-robotrules-perl      6.02-1
ii  netbase                     5.6
ii  perl                        5.28.1-6+deb10u1

Versions of packages libwww-perl recommends:
ii  libdata-dump-perl    1.23-1
ii  libhtml-form-perl    6.03-1
ii  libhtml-format-perl  2.12-1
ii  libhttp-daemon-perl  6.01-3
ii  libmailtools-perl    2.18-1

Versions of packages libwww-perl suggests:
pn  libauthen-ntlm-perl  <none>

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEdb9o7oebX2papQ/KkN1BIMsJ8i8FAl+tKT8ACgkQkN1BIMsJ
8i9ptg/5AasYlgD7zF44xi+8DeaiNR6xqpZTLDTkGaXq5Fb3DKFgdvRjrkwAPhz4
kW2qSFmL7p/aE0/hcD0cuz2VD+MiIQIWUdfyWYihg810qdJyAvkTzk/Rr2p5LQR3
JGny7Jk7idAv/rqLjd7M8wKrs9TWQZ4180GG6ibGsFtiMlngIV3oeIfXFCXemfSU
lJsJmN2Cfx3PM7V1UhPdw+XaJXCxZrHeBEtGG+t3YkLTYjR9v17u+8x+ALB5zK32
cubyC7vvaYpLFt1K+XEamfkoB3vU4/3QPrLp57Cy27NROrA3smASAclyeUnxlwsk
w3lSU8CqcdlpwFH2zjlXdL0BeUzz0C1bMfu8eVchxyByVvLaTzAiPQQqvUSNZue/
6CdQh+EAqd8cK3wtD4koPO8kxPhl9T3w4DLEB2G2WMDPA4x4W0pV2EsAGOTFHtNr
+KmA47l1LQ69Z05DrjIm7eyKUzzK5r6Trg57obWpPW9+aYpYIaum+gl0U50+2oiZ
JRsTt+NiHjnvvKFif4ZQUpH515OuKgIBH7pwi0G/jh8fDr83RoYFw3Llf1npA746
fzLlrRrKVkDVN3ga1yqVfSMFrxWYQOtkTiiBmrEtaJEx8vMUHza+qwCwovwNo/63
+5i25kInC3eoFyBKz45D1pYlhLaYlbGRbWp6K4AsPVfQCv2Lez8=
=Qju8
-----END PGP SIGNATURE-----

More information about the pkg-perl-maintainers mailing list