Re: [PATCH] Avoiding infinite recursion in LWP::Authen::Digest

Thu, 07 Feb 2002 18:50:48 -0800 

"Jeremy Howard" <[EMAIL PROTECTED]> writes:

> Gisle Aas wrote:
> > "Jeremy Howard" <[EMAIL PROTECTED]> writes:
> >
> > > I found that using LWP::Authen::Digest with an incorrect password causes
> > > infinite recursion. This is because the auth string changes each time as
> the
> > > nonce changes. Patch follows. It can be applied with:
> >
> > This patch breaks the test suite.  The reason is that it prevents
> > retrials with the same username, but with different passwords.  I have
> > applied the following patch instead.  Can you check that it works for
> > you?
> >
> Works for me. Thanks Gisle.
> 
> What's the "we shouldn't really do this but" comment referring to? Is there
> a potential side effect to be aware of here?

We are just breaking into the HTTP::Request object to store some state
in it that it does not know about (and we are not even subclassing).
There should perhaps been some official interface to store extra state
in HTTP::Message objects.  But since both modules are part of LWP it
is kind of ok.  If somebody else does something like this I do not
promise not to break their code in the future.  This could for
instance happen if I think it pays of to make the internal structure
of HTTP::Message into arrays for some reason.

Regards,
Gisle

> 
> > Index: lib/LWP/Authen/Digest.pm
> > ===================================================================
> > RCS file: /cvsroot/libwww-perl/lwp5/lib/LWP/Authen/Digest.pm,v
> > retrieving revision 1.5
> > diff -u -p -u -r1.5 Digest.pm
> > --- lib/LWP/Authen/Digest.pm 2001/11/27 16:37:46 1.5
> > +++ lib/LWP/Authen/Digest.pm 2002/02/07 05:43:21
> > @@ -69,8 +69,8 @@ sub authenticate
> >      # Need to check this isn't a repeated fail!
> >      my $r = $response;
> >      while ($r) {
> > - my $auth = $r->request->header($auth_header);
> > - if ($auth && $auth eq $auth_value) {
> > + my $u = $r->request->{digest_user_pass};
> > + if ($u && $u->[0] eq $user && $u->[1] eq $pass) {
> >       # here we know this failed before
> >       $response->header("Client-Warning" =>
> >         "Credentials for '$user' failed before");
> > @@ -81,6 +81,9 @@ sub authenticate
> >
> >      my $referral = $request->clone;
> >      $referral->header($auth_header => $auth_value);
> > +    # we shouldn't really do this, but...
> > +    $referral->{digest_user_pass} = [$user, $pass];
> > +
> >      return $ua->request($referral, $arg, $size, $response);
> >  }

Reply via email to