You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to RFC https://www.ietf.org/rfc/rfc7616.html the qop delimiter can actually include a whitespace , as in the example that appears in the RFC :
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm="http-auth@example.org",
qop="auth, auth-int",
(comma-whitespace instead of just comma)
In this case Curl would wrongly parse a token " auth-int" (with leading whitespace) instead of just "auth-int".
Found on Ubuntu 21.04
The text was updated successfully, but these errors were encountered:
When parsing the "qop=" parameter of the digest authentication, and the
value is provided within quotes, the list of values can have leading
white space which the parser previously did not handle correctly.
Add test case 388 to verify.
Reported-by: vlubart on github
Fixes#9264
Closes #
When parsing the "qop=" parameter of the digest authentication Curl uses “,” delimiter. See function auth_digest_get_qop_values() in
curl/lib/vauth/digest.c
Line 235 in 40b6206
token = strtok_r(tmp, ",", &tok_buf);
The same at
curl/lib/vauth/digest.c
Line 244 in 40b6206
According to RFC https://www.ietf.org/rfc/rfc7616.html the qop delimiter can actually include a whitespace , as in the example that appears in the RFC :
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm="http-auth@example.org",
qop="auth, auth-int",
(comma-whitespace instead of just comma)
In this case Curl would wrongly parse a token " auth-int" (with leading whitespace) instead of just "auth-int".
Found on Ubuntu 21.04
The text was updated successfully, but these errors were encountered: