Skip to content

digest: fix OWS and escaped quote handling #20102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
trxvorr wants to merge 3 commits into from
Closed

digest: fix OWS and escaped quote handling #20102

trxvorr wants to merge 3 commits into from
+124 −7

Conversation

@trxvorr
Copy link
Contributor

@trxvorr trxvorr commented Dec 27, 2025

The migration to the strparse API introduced regressions in Digest authentication parsing where Optional Whitespace (OWS) after commas was not skipped, and escaped quotes in values were not correctly parsed.

This change ensures whitespace is skipped before key lookups and escaped characters are properly handled and unescaped in quoted values.

Reported-by: herdiyanitdev (hackerone)

@github-actions github-actions bot added the tests label Dec 27, 2025
@trxvorr
Copy link
Contributor Author

trxvorr commented Dec 27, 2025

this was the report
https://hackerone.com/reports/3473384

@testclutch
Copy link

testclutch commented Dec 27, 2025

Analysis of PR #20102 at e3c3ac15:

Test 1664 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 810 different CI jobs (the link just goes to one of them).

Test 2084 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 296 different CI jobs (the link just goes to one of them). Note that this CI job has had a number of other flaky tests recently (3, to be exact) so it may be that this failure is rather a systemic issue with this job and not with this specific PR.

Test 2500 failed, but it has been 20.1% flaky lately, so it's probably NOT a fault of the PR. Note that this test has failed in 4 different CI jobs (the link just goes to one of them). Note that this CI job has had a number of other flaky tests recently (3, to be exact) so it may be that this failure is rather a systemic issue with this job and not with this specific PR.

Generated by Testclutch

@trxvorr trxvorr marked this pull request as draft December 28, 2025 04:30
@trxvorr trxvorr force-pushed the fix/digest-auth-ows-quotes branch 5 times, most recently from 7d3037e to 1584df8 Compare December 28, 2025 09:34
vszakats
vszakats reviewed Dec 28, 2025
View reviewed changes
vszakats
vszakats reviewed Dec 28, 2025
View reviewed changes
@trxvorr trxvorr force-pushed the fix/digest-auth-ows-quotes branch from 1584df8 to 008a74c Compare December 28, 2025 10:10
vszakats
vszakats reviewed Dec 28, 2025
View reviewed changes
@trxvorr trxvorr force-pushed the fix/digest-auth-ows-quotes branch 2 times, most recently from 279f91c to f448445 Compare December 28, 2025 17:23
@trxvorr
digest: fix OWS and escaped quote handling
497c7b5 
The migration to the strparse API introduced regressions in Digest
authentication parsing where Optional Whitespace (OWS) after commas
was not skipped, and escaped quotes in values were not correctly
parsed.

This change ensures whitespace is skipped before key lookups and
escaped characters are properly handled and unescaped in quoted
values.

Reported-by: herdiyanitdev (hackerone)
@trxvorr trxvorr force-pushed the fix/digest-auth-ows-quotes branch from 1aaff18 to 497c7b5 Compare December 28, 2025 18:28
@trxvorr trxvorr marked this pull request as ready for review December 28, 2025 18:34
@trxvorr
Copy link
Contributor Author

trxvorr commented Dec 28, 2025

@vszakats i think everything is working as intended now could you please check?

@trxvorr
Copy link
Contributor Author

trxvorr commented Dec 29, 2025

@vszakats hey hope you're doing well
any updates?

bagder
bagder requested changes Dec 30, 2025
View reviewed changes
@trxvorr trxvorr force-pushed the fix/digest-auth-ows-quotes branch from b2450cf to f2bcab8 Compare December 30, 2025 16:26
@bagder bagder closed this in f81e719 Dec 30, 2025
@bagder
Copy link
Member

bagder commented Dec 30, 2025

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dfandrich dfandrich dfandrich left review comments

@vszakats vszakats vszakats left review comments

@bagder bagder bagder approved these changes

Assignees

No one assigned

Labels

tests

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@trxvorr @testclutch @bagder @dfandrich @vszakats