mirror of
https://github.com/curl/curl.git
synced 2026-04-11 12:01:42 +08:00
f81e7197c1
The migration to the strparse API introduced regressions in Digest authentication parsing where Optional Whitespace (OWS) after commas was not skipped, and escaped quotes in values were not correctly parsed. This change ensures whitespace is skipped before key lookups and escaped characters are properly handled and unescaped in quoted values. Reported-by: herdiyanitdev on hackerone Closes #20102
99 lines
2.1 KiB
XML
99 lines
2.1 KiB
XML
<?xml version="1.0" encoding="US-ASCII"?>
|
|
<testcase>
|
|
<info>
|
|
<keywords>
|
|
HTTP
|
|
HTTP GET
|
|
HTTP Digest auth
|
|
</keywords>
|
|
</info>
|
|
|
|
# Server-side
|
|
<reply>
|
|
<data1 crlf="headers">
|
|
HTTP/1.1 401 Authorization Required swsclose
|
|
Server: Apache/1.3.27 (Darwin) PHP/4.1.2
|
|
WWW-Authenticate: Digest realm="OWS Realm", nonce="1053604145"
|
|
Content-Type: text/html; charset=iso-8859-1
|
|
Content-Length: 26
|
|
|
|
This is not the real page
|
|
</data1>
|
|
|
|
<data1001 crlf="headers">
|
|
HTTP/1.1 200 OK
|
|
Server: Apache/1.3.27 (Darwin) PHP/4.1.2
|
|
Content-Type: text/html; charset=iso-8859-1
|
|
Content-Length: 23
|
|
|
|
This IS the real page!
|
|
</data1001>
|
|
|
|
<data3 crlf="headers">
|
|
HTTP/1.1 401 Authorization Required swsclose
|
|
Server: Apache/1.3.27 (Darwin) PHP/4.1.2
|
|
WWW-Authenticate: Digest realm="My \"Cool\" Realm", nonce="1053604146"
|
|
Content-Type: text/html; charset=iso-8859-1
|
|
Content-Length: 26
|
|
|
|
This is not the real page
|
|
</data3>
|
|
|
|
<data1003 crlf="headers">
|
|
HTTP/1.1 200 OK
|
|
Server: Apache/1.3.27 (Darwin) PHP/4.1.2
|
|
Content-Type: text/html; charset=iso-8859-1
|
|
Content-Length: 23
|
|
|
|
This IS the real page!
|
|
</data1003>
|
|
</reply>
|
|
|
|
# Client-side
|
|
<client>
|
|
<server>
|
|
http
|
|
</server>
|
|
<features>
|
|
!SSPI
|
|
crypto
|
|
digest
|
|
</features>
|
|
<name>
|
|
HTTP Digest auth with OWS and escaped quotes
|
|
</name>
|
|
<command>
|
|
http://%HOSTIP:%HTTPPORT/%TESTNUMBER0001 -u testuser:testpass --digest --next
|
|
http://%HOSTIP:%HTTPPORT/%TESTNUMBER0003 -u testuser:testpass --digest
|
|
</command>
|
|
</client>
|
|
|
|
# Verify data after the test has been "shot"
|
|
<verify>
|
|
<protocol crlf="headers">
|
|
GET /%TESTNUMBER0001 HTTP/1.1
|
|
Host: %HOSTIP:%HTTPPORT
|
|
User-Agent: curl/%VERSION
|
|
Accept: */*
|
|
|
|
GET /%TESTNUMBER0001 HTTP/1.1
|
|
Host: %HOSTIP:%HTTPPORT
|
|
Authorization: Digest username="testuser", realm="OWS Realm", nonce="1053604145", uri="/%TESTNUMBER0001", response="b6c8f707f7781c272e79489771185713"
|
|
User-Agent: curl/%VERSION
|
|
Accept: */*
|
|
|
|
GET /%TESTNUMBER0003 HTTP/1.1
|
|
Host: %HOSTIP:%HTTPPORT
|
|
User-Agent: curl/%VERSION
|
|
Accept: */*
|
|
|
|
GET /%TESTNUMBER0003 HTTP/1.1
|
|
Host: %HOSTIP:%HTTPPORT
|
|
Authorization: Digest username="testuser", realm="My \"Cool\" Realm", nonce="1053604146", uri="/%TESTNUMBER0003", response="f10c1586b83b6e5927fef54748f88d36"
|
|
User-Agent: curl/%VERSION
|
|
Accept: */*
|
|
|
|
</protocol>
|
|
</verify>
|
|
</testcase>
|