Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Curl does not parse correctly the "qop=" parameter of Digest authentication #9264

vlubart opened this issue Aug 7, 2022 · 2 comments


Copy link

vlubart commented Aug 7, 2022

When parsing the "qop=" parameter of the digest authentication Curl uses “,” delimiter. See function auth_digest_get_qop_values() in

token = strtok_r(tmp, ",", &tok_buf);
token = strtok_r(tmp, ",", &tok_buf);
The same at
token = strtok_r(NULL, ",", &tok_buf);

According to RFC the qop delimiter can actually include a whitespace , as in the example that appears in the RFC :
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
qop="auth, auth-int",
(comma-whitespace instead of just comma)

In this case Curl would wrongly parse a token " auth-int" (with leading whitespace) instead of just "auth-int".
Found on Ubuntu 21.04

bagder added a commit that referenced this issue Aug 7, 2022
When parsing the "qop=" parameter of the digest authentication, and the
value is provided within quotes, the list of values can have leading
white space which the parser previously did not handle correctly.

Add test case 388 to verify.

Reported-by: vlubart on github
Fixes #9264
Closes #
@bagder bagder self-assigned this Aug 7, 2022
@bagder bagder closed this as completed in 0ad7c8d Aug 8, 2022
Copy link

vlubart commented Aug 8, 2022

Thanks for the quick resolution! When a release with this fix can be expected ?

Copy link

bagder commented Aug 8, 2022

This fix will be included in the next release. 7.85.0 is expected to ship on August 31.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Successfully merging a pull request may close this issue.

2 participants