Bug#974572: libwww-perl: LWP::UserAgent Authen Digest POST message-digest broken/ineffective
Florian Lohoff
f at zz.de
Fri Nov 13 10:15:34 GMT 2020
Hi,
after some digging i guess i can explain where this code comes from.
In March 1996 the 3rd Draft of the "Digest Access Authentication" contained the
message-digest as optional.
https://tools.ietf.org/html/draft-ietf-http-digest-aa-03
The purpose of the <message-digest> is to allow the server to
ensure that the content of the request body has not been tampered
with after leaving the client. This would normally be used with a
POST or PUT request and would allow the server to check the validity
of the posted data. The <entity-body> is the "entity body" as
prescribed in the Hypertext Transfer Protocol version 1.1.
Just 3 Months later it was dropped from the Draft:
https://tools.ietf.org/html/draft-ietf-http-digest-aa-04
No mentioning of the "message-digest".
So the LWP::UserAgent Digest Authentication code was written against
the Draft 3 in 1996 and when that draft was updated and later got into
the Standard Track nobody removed that code.
That code has never been tested or has been functional.
I would propose to remove these lines:
50 if($request->method =~ /^(?:POST|PUT)$/) {
51 $md5->add($request->content);
52 my $content = $md5->hexdigest;
53 $md5->reset;
54 $md5->add(join(":", @digest[0..1], $content));
55 $md5->reset;
56 $resp{"message-digest"} = $md5->hexdigest;
57 push(@order, "message-digest");
58 }
Flo
--
Florian Lohoff f at zz.de
UTF-8 Test: The 🐈 ran after a 🐁, but the 🐁 ran away
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20201113/c2c106ee/attachment.sig>
More information about the pkg-perl-maintainers
mailing list