This is an automated email from the ASF dual-hosted git repository.

markt-asf pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new e07578e36d Throw explicit exception if server DIGEST challenge has no 
qop value
e07578e36d is described below

commit e07578e36d9cf532a5fc8ad9b70cd0a034a60a47
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Jun 30 21:15:14 2026 +0100

    Throw explicit exception if server DIGEST challenge has no qop value
---
 java/org/apache/tomcat/websocket/DigestAuthenticator.java | 11 ++++++-----
 java/org/apache/tomcat/websocket/LocalStrings.properties  |  1 +
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/java/org/apache/tomcat/websocket/DigestAuthenticator.java 
b/java/org/apache/tomcat/websocket/DigestAuthenticator.java
index 606b340c57..405d654159 100644
--- a/java/org/apache/tomcat/websocket/DigestAuthenticator.java
+++ b/java/org/apache/tomcat/websocket/DigestAuthenticator.java
@@ -63,6 +63,9 @@ public class DigestAuthenticator extends Authenticator {
 
         String nonce = parameterMap.get("nonce");
         String messageQop = parameterMap.get("qop");
+        if (messageQop == null || messageQop.isEmpty()) {
+            throw new 
AuthenticationException(sm.getString("digestAuthenticator.noQop"));
+        }
         String algorithm = parameterMap.get("algorithm") == null ? "MD5" : 
parameterMap.get("algorithm");
         String opaque = parameterMap.get("opaque");
         if (cnonceGenerator == null) {
@@ -99,11 +102,9 @@ public class DigestAuthenticator extends Authenticator {
             challenge.append("opaque=\"").append(opaque).append("\",");
         }
 
-        if (messageQop != null && !messageQop.isEmpty()) {
-            challenge.append("qop=\"").append(messageQop).append("\"");
-            challenge.append(",cnonce=\"").append(cNonce).append("\",");
-            challenge.append("nc=").append(String.format("%08X", 
Integer.valueOf(nonceCount)));
-        }
+        challenge.append("qop=\"").append(messageQop).append("\"");
+        challenge.append(",cnonce=\"").append(cNonce).append("\",");
+        challenge.append("nc=").append(String.format("%08X", 
Integer.valueOf(nonceCount)));
 
         return challenge.toString();
 
diff --git a/java/org/apache/tomcat/websocket/LocalStrings.properties 
b/java/org/apache/tomcat/websocket/LocalStrings.properties
index 3bd7ccd063..f1f7c16e0d 100644
--- a/java/org/apache/tomcat/websocket/LocalStrings.properties
+++ b/java/org/apache/tomcat/websocket/LocalStrings.properties
@@ -41,6 +41,7 @@ clientEndpointHolder.instanceCreationFailed=Failed to create 
WebSocketEndpoint
 clientEndpointHolder.instanceRegistrationFailed=Failed to register Endpoint 
instance with the InstanceManager
 
 digestAuthenticator.algorithm=Unable to generate request digest [{0}]
+digestAuthenticator.noQop=The server challenge did not include a qop value
 
 futureToSendHandler.timeout=Operation timed out after waiting [{0}] [{1}] to 
complete
 


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to