Skip to content

Loading…

Fix request loop on non-stale nonce with time_limit parameter. #406

Merged
merged 1 commit into from

3 participants

@dayflower

On HTTP Digest auth (MD5), when Rack::Auth::Digest::Nonce.time_limit is set, stale? function of Nonce always returns false. So user-agent's re-challenges never succeed. As a consequence, request-response infinitely loops.

@travisbot

This pull request fails (merged 4f81156 into edc8b92).

@raggi raggi merged commit d749c46 into rack:master
@raggi
Official Rack repositories member

Thanks!

@dayflower dayflower deleted the unknown repository branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
Showing with 15 additions and 1 deletion.
  1. +1 −1 lib/rack/auth/digest/nonce.rb
  2. +14 −0 test/spec_auth_digest.rb
View
2 lib/rack/auth/digest/nonce.rb
@@ -38,7 +38,7 @@ def valid?
end
def stale?
- !self.class.time_limit.nil? && (@timestamp - Time.now.to_i) < self.class.time_limit
+ !self.class.time_limit.nil? && (Time.now.to_i - @timestamp) > self.class.time_limit
end
def fresh?
View
14 test/spec_auth_digest.rb
@@ -153,6 +153,20 @@ def assert_bad_request(response)
end
end
+ should 'not rechallenge if nonce is not stale' do
+ begin
+ Rack::Auth::Digest::Nonce.time_limit = 10
+
+ request_with_digest_auth 'GET', '/', 'Alice', 'correct-password', :wait => 1 do |response|
+ response.status.should.equal 200
+ response.body.to_s.should.equal 'Hi Alice'
+ response.headers['WWW-Authenticate'].should.not =~ /\bstale=true\b/
+ end
+ ensure
+ Rack::Auth::Digest::Nonce.time_limit = nil
+ end
+ end
+
should 'rechallenge with stale parameter if nonce is stale' do
begin
Rack::Auth::Digest::Nonce.time_limit = 1
Something went wrong with that request. Please try again.