Browse files

Fixed request.method not being passed through verify and digest to co…

…mpute_hA2. Reported by Andrew Alcock.
  • Loading branch information...
1 parent 616d710 commit 66434ac2f09b89d33344fe2b5932bb1d0746904a @shanewholloway committed Feb 22, 2012
Showing with 5 additions and 5 deletions.
  1. +5 −5 werkzeug/contrib/
10 werkzeug/contrib/
@@ -107,7 +107,7 @@ def isAuthenticated(self, request, **kw):
hashPass = self[authorization.username]
if hashPass is None:
return authResult.deny('unknown_user')
- elif not self.alg.verify(authorization, hashPass, **kw):
+ elif not self.alg.verify(authorization, hashPass, request.method, **kw):
return authResult.deny('invalid_password')
return authResult.approve('success')
@@ -191,20 +191,20 @@ def __init__(self, algorithm='md5'):
self.algorithm = algorithm.lower()
self.H = self.hashAlgorithms[self.algorithm]
- def verify(self, authorization, hashPass=None, **kw):
+ def verify(self, authorization, hashPass=None, method='GET', **kw):
reqResponse = self.digest(authorization, hashPass, **kw)
if reqResponse:
return (authorization.response.lower() == reqResponse.lower())
- def digest(self, authorization, hashPass=None, **kw):
+ def digest(self, authorization, hashPass=None, method='GET', **kw):
if authorization is None:
return None
if hashPass is None:
hA1 = self._compute_hA1(authorization, kw['password'])
else: hA1 = hashPass
- hA2 = self._compute_hA2(authorization, kw.pop('method', 'GET'))
+ hA2 = self._compute_hA2(authorization, method)
if 'auth' in authorization.qop:
res = self._compute_qop_auth(authorization, hA1, hA2)
@@ -219,7 +219,7 @@ def hashPassword(self, username, realm, password):
def _compute_hA1(self, auth, password=None):
return self.hashPassword(auth.username, auth.realm, password or auth.password)
- def _compute_hA2(self, auth, method):
+ def _compute_hA2(self, auth, method='GET'):
return self.H(method, auth.uri)
def _compute_qop_auth(self, auth, hA1, hA2):
return self.H(hA1, auth.nonce,, auth.cnonce, auth.qop, hA2)

0 comments on commit 66434ac

Please sign in to comment.