Branko Čibej created SERF-207:
---------------------------------
Summary: Digest authn provider should verify received parameters.
Key: SERF-207
URL: https://issues.apache.org/jira/browse/SERF-207
Project: serf
Issue Type: Improvement
Affects Versions: serf-1.3.10, serf-1.4.0, serf-trunk
Reporter: Branko Čibej
The Digest authentication scheme supports only {{algorithm=MD5}} and
{{qop=auth}} parameters. This is equivalent to what's supported by HTTPd's
{{mod_auth_digest}}, so feature-wise that's fine.
However, the code never checks those parameters in the response header and just
blindly generates an authn response using those assumed values. If those
parameters are different, the authentication will fail in any case, but we
could avoid one roundtrip with a weakly-hashed password by checking the
parameter values and failing early.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
