Ubuntu
wget package

Incomplete realization of http digest auth

Bug #530036 reported by Shein Alexey
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
wget (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: wget

Short summary: Wget doesn't use qop section in WWW-Authenticate header, thus sending incorrect Authorization header.

I have digest auth implemented in php, taken from here http://php.net/manual/en/features.http-auth.php, see Example #2.
Executing wget:
conf@conf:~$ wget -d http://www.mp3.dz/test.php --user=guest --password=guest -o wget.log
Setting --user (user) to guest
Setting --password (password) to guest
Setting --output-file (logfile) to wget.log
conf@conf:~$ echo `cat test.php`
Wrong Credentials!

As you can see authorization didn't work because server said
WWW-Authenticate: Digest realm="Restricted area",qop="auth",nonce="4b8bbfc607c5f",opaque="cdce8a5c95a1427d74df7acbf41c9ce0"
and wget answered
Authorization: Digest username="guest", realm="Restricted area", nonce="4b8bbfc607c5f", uri="/test.php", response="c3f3bda7a96ec0315d8647336b8a1204", opaque="cdce8a5c95a1427d74df7acbf41c9ce0"

As rfc2617 said (http://tools.ietf.org/html/rfc2617#ref-message-qop page 11)

   qop
     Indicates what "quality of protection" the client has applied to
     the message. If present, its value MUST be one of the alternatives
     the server indicated it supports in the WWW-Authenticate header.
     These values affect the computation of the request-digest. Note
     that this is a single token, not a quoted list of alternatives as
     in WWW- Authenticate. This directive is optional in order to
     preserve backward compatibility with a minimal implementation of
     RFC 2069 [6], but SHOULD be used if the server indicated that qop
     is supported by providing a qop directive in the WWW-Authenticate
     header field.

qop should be used if the server indicated that it is supported.

By the way, curl is working just fine.
conf@conf:~$ curl -vu guest:guest --anyauth -D headers.txt http://www.mp3.dz/test.php 2> curl.log > test.php
conf@conf:~$ echo `cat test.php`
Your are logged in as: guest
conf@conf:~$

Additional info:
conf@conf:~$ lsb_release -rd
Description: Ubuntu 9.10
Release: 9.10
conf@conf:~$ apt-cache policy wget
wget:
  Установлен: 1.11.4-2ubuntu2
  Кандидат: 1.11.4-2ubuntu2
  Таблица версий:
 *** 1.11.4-2ubuntu2 0
        500 http://ubuntu.snet.uz karmic/main Packages
        500 http://ubuntu.uz karmic/main Packages
        100 /var/lib/dpkg/status

Revision history for this message
Shein Alexey (confik) wrote :
Revision history for this message
Shein Alexey (confik) wrote :
Revision history for this message
Shein Alexey (confik) wrote :

Please, don't take mp3.dz as a real domain, it's just a local one for development.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in wget (Ubuntu):
status: New → Confirmed
Revision history for this message
Javier López (javier-lopez) wrote :

This has been fixed in Ubuntu Raring

wget 1.14-1ubuntu1

I think this is also related to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609836

I'd like to see an SRU for this for Ubuntu Precise and Ubuntu Quantal: https://wiki.ubuntu.com/StableReleaseUpdates

Testcase (ubuntu precise / quantal)
------------

1.- Download a minimalist http server: http://paste.ubuntu.com/5619854/
2.- Execute it:
$ python ./simple.server -p 8080 --username=test --password=test ./
3.- Verify it works with firefox, open "localhost:8080" and then type "test" as user and "test" in the password field
4.- Try with wget
$ wget --user=test --password=test http://localhost:8080
--2013-04-30 12:51:16-- http://localhost:9090/sh_scripts/pass_key.txt
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authorization failed

In a update Ubuntu Raring system:

$ wget --user=test --password=test http://localhost:8080
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 417 [text/plain]
Saving to: 'index.html'

The patch needed seems to be this one:

http://<email address hidden>/msg02703.html

Changed in wget (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Shein Alexey (confik) wrote :

Hello, I confirm, wget 1.14-1ubuntu1 works fine for me.
Thank you for your work.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.