Created attachment 36400 [details] fix race condition in mod_auth_digest When there are requests made from multiple different users on the same host to the same protection space, a race condition occurs so that the realmhash from another user may sometimes be used for validation when comparing digest with expected digest. I can reproduce this by running two testscripts which repeatedly requests a resource using different users. script1: while 1 curl -u test:test --digest "http://<ip>/cgi/mycgi.cgi" script2: while 1 curl -u test2:test2 --digest" http://<ip>/cgi/mycgi.cgi" Sometimes the digest module will claim that there is a password mismatch APLOGNO(01792). Debugging this i found that the realmhash (ha1) used to compare digests was sometimes from the wrong user.
It is my belief that this patch should be merged to trunk. Please test and review attached patch. Thanks
Hi, thx for the report, the reproducer and the patch. I've only slightly changed your patch. 'char **rethash' has been turned into 'const char **rethash' to fix a compilation warning, at least in maintainer-mode. This has been fixed in trunk in r1853190 and will be proposed soon for backport in 2.4.x.
backported in r1855298. This is part à 2.4.39