[ https://issues.apache.org/jira/browse/SERF-207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18011988#comment-18011988 ]
Branko Čibej commented on SERF-207: ----------------------------------- The updated [patch v2|^SERF-207.2.patch] applies to the {{user-defined-authn}} branch. > Digest authn provider should verify received parameters. > -------------------------------------------------------- > > Key: SERF-207 > URL: https://issues.apache.org/jira/browse/SERF-207 > Project: serf > Issue Type: Improvement > Affects Versions: serf-1.4.0, serf-trunk, serf-1.3.10 > Reporter: Branko Čibej > Assignee: Branko Čibej > Priority: Minor > Attachments: SERF-207.2.patch, SERF-207.patch > > > The Digest authentication scheme supports only {{algorithm=MD5}} and > {{qop=auth}} parameters. This is equivalent to what's supported by HTTPd's > {{mod_auth_digest}}, so feature-wise that's fine. > However, the code never checks those parameters in the response header and > just blindly generates an authn response using those assumed values. If those > parameters are different, the authentication will fail in any case, but we > could avoid one roundtrip with a weakly-hashed password by checking the > parameter values and failing early. -- This message was sent by Atlassian Jira (v8.20.10#820010)