[Webkit-unassigned] [Bug 10727] New: During HTTP Digest Authentication qop values are parsed and generated incorrectly

bugzilla-daemon at opendarwin.org bugzilla-daemon at opendarwin.org
Mon Sep 4 06:36:54 PDT 2006 

http://bugzilla.opendarwin.org/show_bug.cgi?id=10727

           Summary: During HTTP Digest Authentication qop values are parsed
                    and generated incorrectly
           Product: WebKit
           Version: 420+ (nightly)
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: UNCONFIRMED
          Severity: major
          Priority: P2
         Component: WebKit Misc.
        AssignedTo: webkit-unassigned at opendarwin.org
        ReportedBy: manfred at gmail.com


Safari doesn't create and parse qop values correctly in Authorization and
WWW-Authentication headers. For instance, safari might send something like
this:

Authorization: Digest username="admin", realm="Admin",
nonce="GI3ZTQ3YjE4NTBlZGY4NW", uri="/",
response="84fc1690932d829b370d777aa347b102",
opaque="dfee40b0bdb127c71402d3fa56ea06e6", algorithm="MD5",
cnonce="ba92b4576c37d5ade9b1831895f2847f", nc=00000001, qop="auth"

But in the Authorization header the qop value shouldn't be quoted. According to
RFC 2617 the Authorization header should contain a 'message-qop', which is
defined as

message-qop  = "qop" "=" qop-value
qop-value         = "auth" | "auth-int" | token

Note that the quotes mean that the string is a literal, the quotes shouldn't be
sent. The correct way to send a qop value would be

... qop=auth ...
or
... qop=auth-int ...

When the server sends a qop values, the value is quoted because it can contain
several values. For instance:

WWW-Authenticate: Digest nonce="BmMDBmZWIwZGJhM2VlZjg0MTVlNTZkMw", qop="auth
auth-int", algorithm=MD5, opaque="36672a02d3d4ccd4777220ddcf3b0f20",
realm="Admin"

The RFC defines this as:

qop-options       = "qop" "=" <"> 1#qop-value <">
qop-value         = "auth" | "auth-int" | token

I have found that sending qop="auth auth-int" doesn't trigger authentication in
Safari, while qop="auth" does. The whole reason for sending multiple qop's is
that the browser can respond with the most secure authentication method known.
The browser should ignore all unknown qop values, because even qop="auth
my-favorite-qop" is a valid challenge.


-- 
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list