Incomplete realization of http digest auth
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wget (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: wget
Short summary: Wget doesn't use qop section in WWW-Authenticate header, thus sending incorrect Authorization header.
I have digest auth implemented in php, taken from here http://
Executing wget:
conf@conf:~$ wget -d http://
Setting --user (user) to guest
Setting --password (password) to guest
Setting --output-file (logfile) to wget.log
conf@conf:~$ echo `cat test.php`
Wrong Credentials!
As you can see authorization didn't work because server said
WWW-Authenticate: Digest realm="Restricted area",qop=
and wget answered
Authorization: Digest username="guest", realm="Restricted area", nonce="
As rfc2617 said (http://
qop
Indicates what "quality of protection" the client has applied to
the message. If present, its value MUST be one of the alternatives
the server indicated it supports in the WWW-Authenticate header.
These values affect the computation of the request-digest. Note
that this is a single token, not a quoted list of alternatives as
in WWW- Authenticate. This directive is optional in order to
preserve backward compatibility with a minimal implementation of
RFC 2069 [6], but SHOULD be used if the server indicated that qop
is supported by providing a qop directive in the WWW-Authenticate
header field.
qop should be used if the server indicated that it is supported.
By the way, curl is working just fine.
conf@conf:~$ curl -vu guest:guest --anyauth -D headers.txt http://
conf@conf:~$ echo `cat test.php`
Your are logged in as: guest
conf@conf:~$
Additional info:
conf@conf:~$ lsb_release -rd
Description: Ubuntu 9.10
Release: 9.10
conf@conf:~$ apt-cache policy wget
wget:
Установлен: 1.11.4-2ubuntu2
Кандидат: 1.11.4-2ubuntu2
Таблица версий:
*** 1.11.4-2ubuntu2 0
500 http://
500 http://
100 /var/lib/
Please, don't take mp3.dz as a real domain, it's just a local one for development.