Skip to content

Digest auth not working for uri '/' #13

Open
hnakamur opened this Issue Jul 18, 2012 · 1 comment

2 participants

@hnakamur

I debugged and found out r->uri become '/index.html' even when the request line is 'GET / HTTP/1.1'.
On the other hand, r->unparsed_uri.data = '/ HTTP/1.1' and r->unparsed_uri.len = 1,
so we should take substring of length r->unparsed_uri.len of r->unparsed_uri.data.

This is achieved with two commits below:
chazmcgarvey@227871e
hnakamur@9d2824b

However, even with these fixes, it still does not work for uri '/'.
It seems that ngx_bitvector_test in ngx_int_tngx_http_auth_digest_verify_hash returns false.

@carlst
carlst commented Nov 14, 2014

Yes, Nginx does an internal redirect to the index file when r->uri is '/' (default index file is '/index.html'). So, even if r->unparsed_uri.data is used, the found->nc bitvector will already be cleared by the initial uri processing (to prevent replays).

One workaround is to check r->internal when found != NULL && ngx_bitvector_test(...) returns false. More checking needs to be done to ensure this is secure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.