When parsing the "qop=" parameter of the digest authentication Curl uses “,” delimiter. See function auth_digest_get_qop_values() in
|
token = strtok_r(tmp, ",", &tok_buf); |
:
token = strtok_r(tmp, ",", &tok_buf);
The same at
|
token = strtok_r(NULL, ",", &tok_buf); |
.
According to RFC https://www.ietf.org/rfc/rfc7616.html the qop delimiter can actually include a whitespace , as in the example that appears in the RFC :
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm="http-auth@example.org",
qop="auth, auth-int",
(comma-whitespace instead of just comma)
In this case Curl would wrongly parse a token " auth-int" (with leading whitespace) instead of just "auth-int".
Found on Ubuntu 21.04
When parsing the "qop=" parameter of the digest authentication Curl uses “,” delimiter. See function auth_digest_get_qop_values() in
curl/lib/vauth/digest.c
Line 235 in 40b6206
token = strtok_r(tmp, ",", &tok_buf);
The same at
curl/lib/vauth/digest.c
Line 244 in 40b6206
According to RFC https://www.ietf.org/rfc/rfc7616.html the qop delimiter can actually include a whitespace , as in the example that appears in the RFC :
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm="http-auth@example.org",
qop="auth, auth-int",
(comma-whitespace instead of just comma)
In this case Curl would wrongly parse a token " auth-int" (with leading whitespace) instead of just "auth-int".
Found on Ubuntu 21.04