Tim Rühsen <[email protected]> writes: > We assumed 'algorithm' to be MD5 before (implicitely), but had the bug to > miss > one check before strcmp(). > > For me, your changes look ok. > > There is just that little issue (more a kind of favour) that I mentioned > under > as 2. : When the server does not mention 'algorithm' in WWW-Authenticate:, > should we introduce it in the clients Authenticate: Header ? I can't say what > is better... RFC 2069 and RFC 2617 leave it open. > At least we would introduce an additional (unneeded) xstrdup/free.
yes true, we used that implicitely but we haven't specified it in "Authenticate:". Personally I am biased to specify the algorithm attribute in any case. Even if this won't make any difference with servers which are compliant to that RFCs, it makes clear what algorithm was used by wget. In any case I haven't a strong opinion, if you still think this is a stdrup/free waste, I can revert the change :-) Giuseppe
