On Wed, 2003-02-05 at 17:44, Sean Burford wrote: > Hi, > > Digest Authentication in Squid 2.5 stable1 and Squid 2.5 Stable1 > 20030204 is broken. Using src/auth/digest/auth_digest.c, once a user > has attempted a login further attempts succeed or fail based on the > success of the first attempt. This is because the credentials_ok flag > is not reset between attempts. > > The attached patch fixes this problem.
It cannot correctly fix the problem. Firstly every auth attempt requires a correct HA1 and nonce to authenticate, the flag of 3 is used to indicate failures, not successes. Secondly, on overlapping requests, there is a race with your solution.. and the extant code. What needs to be done is have the credentials_ok flag moved to the request level, not the user level. See the TODO around line 677. Cheers, Rob -- GPG key available at: <http://users.bigpond.net.au/robertc/keys.txt>.
signature.asc
Description: This is a digitally signed message part
