Bug 25040 - digest auth doesn't play well with subrequests
Summary: digest auth doesn't play well with subrequests
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_auth_digest (show other bugs)
Version: 2.0-HEAD
Hardware: All All
: P3 normal with 12 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2003-11-27 03:33 UTC by Karl Fogel
Modified: 2005-05-29 08:07 UTC (History)
4 users (show)

The changes described above in patch form (and stripped of other local changes) (1.75 KB, patch)
2004-01-14 16:04 UTC, Josh Dady
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Karl Fogel 2003-11-27 03:33:39 UTC
Digest auth doesn't cooperate well with subrequests, because it insists on using
the URI from the Auth header instead of the URI in the subrequest.

I may be getting some of the subtleties wrong here; please see this mail from
Justin Erenkrantz for a better description:


It's part of this thread


...which starts with Ben Collins-Sussman explaining why Subversion's recent
switch to using subrequests for authorization broke digest auth, for users who
had previously been using it successfully.

Oh: and later, in a private email exchange, Sander Striker tentatively confirmed
Brian Fitzpatrick's outline of a solution:

   B. W. Fitzpatrick wrote:
   > So basically, mod_auth_digest needs to see if it's in
   > a subreq, and if it is, then ignore the URI in the
   > Auth header and use the uri from the subreq itself?
   > Is that a correct understanding?
   That sounds about right.
Comment 1 Justin Erenkrantz 2003-12-12 18:39:48 UTC
I think Fitz has it reversed.

mod_auth_digest needs to use the uri of r->main, not of the subreq because the hashed nonce will 
be off of the original request's URI.  Right now, I think it's using the subreq's uri (i.e. r->uri), but 
that isn't what the user sent.  Hence, it can't compute the 'same' hash.
Comment 2 Sander Striker 2003-12-12 18:53:16 UTC
Actually, I think it shouldn't be doing anything other than checking if
the subreq uri is in the same directory/location block (or, in the
same auth domain), and if so, just copy what was done for the main
Comment 3 Josh Dady 2004-01-14 14:18:50 UTC
My subversion server already had a modified mod_auth_digest, so I went digging.
It looks like the subreq is already using fields of the main request to check the
digest, with one exception -- digest_header_rec does not have a method field.
When I get these authentication failures, the subreq method doesn't match the main
req's method.  I added that field, set it to r->method in
parse_hdr_and_update_nc(), and modified old_digest() and new_digest() to use
resp->method instead of r->method, and that fixed the problem.
Comment 4 Josh Dady 2004-01-14 16:04:24 UTC
Created attachment 9946 [details]
The changes described above in patch form (and stripped of other local changes)
Comment 5 Erik Abele 2004-01-19 19:06:26 UTC
Just adding the PatchAvailable keyword...
Comment 6 Justin Erenkrantz 2004-01-29 19:22:46 UTC
Committed to httpd-2.1 as r1.82 of modules/aaa/mod_auth_digest.c.  Proposed for
backport to 2.0.  Will be included in the next release.