This is an automated email from the ASF dual-hosted git repository.

markt-asf pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 3132bd7213 Throw explicit exception if server DIGEST challenge has no 
qop value
3132bd7213 is described below

commit 3132bd72134946d9df1427a670f22149b3e1af66
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Jun 30 21:15:14 2026 +0100

    Throw explicit exception if server DIGEST challenge has no qop value
---
 java/org/apache/tomcat/websocket/DigestAuthenticator.java | 11 ++++++-----
 java/org/apache/tomcat/websocket/LocalStrings.properties  |  1 +
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/java/org/apache/tomcat/websocket/DigestAuthenticator.java 
b/java/org/apache/tomcat/websocket/DigestAuthenticator.java
index 606b340c57..405d654159 100644
--- a/java/org/apache/tomcat/websocket/DigestAuthenticator.java
+++ b/java/org/apache/tomcat/websocket/DigestAuthenticator.java
@@ -63,6 +63,9 @@ public class DigestAuthenticator extends Authenticator {
 
         String nonce = parameterMap.get("nonce");
         String messageQop = parameterMap.get("qop");
+        if (messageQop == null || messageQop.isEmpty()) {
+            throw new 
AuthenticationException(sm.getString("digestAuthenticator.noQop"));
+        }
         String algorithm = parameterMap.get("algorithm") == null ? "MD5" : 
parameterMap.get("algorithm");
         String opaque = parameterMap.get("opaque");
         if (cnonceGenerator == null) {
@@ -99,11 +102,9 @@ public class DigestAuthenticator extends Authenticator {
             challenge.append("opaque=\"").append(opaque).append("\",");
         }
 
-        if (messageQop != null && !messageQop.isEmpty()) {
-            challenge.append("qop=\"").append(messageQop).append("\"");
-            challenge.append(",cnonce=\"").append(cNonce).append("\",");
-            challenge.append("nc=").append(String.format("%08X", 
Integer.valueOf(nonceCount)));
-        }
+        challenge.append("qop=\"").append(messageQop).append("\"");
+        challenge.append(",cnonce=\"").append(cNonce).append("\",");
+        challenge.append("nc=").append(String.format("%08X", 
Integer.valueOf(nonceCount)));
 
         return challenge.toString();
 
diff --git a/java/org/apache/tomcat/websocket/LocalStrings.properties 
b/java/org/apache/tomcat/websocket/LocalStrings.properties
index 0b24925a13..821a115b4b 100644
--- a/java/org/apache/tomcat/websocket/LocalStrings.properties
+++ b/java/org/apache/tomcat/websocket/LocalStrings.properties
@@ -44,6 +44,7 @@ clientEndpointHolder.instanceCreationFailed=Failed to create 
WebSocketEndpoint
 clientEndpointHolder.instanceRegistrationFailed=Failed to register Endpoint 
instance with the InstanceManager
 
 digestAuthenticator.algorithm=Unable to generate request digest [{0}]
+digestAuthenticator.noQop=The server challenge did not include a qop value
 
 futureToSendHandler.timeout=Operation timed out after waiting [{0}] [{1}] to 
complete
 


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to