Re: [PATCH] digest auth not working in 2.5-stable

From: Robert Collins <robertc@dont-contact.us>
Date: 05 Feb 2003 19:28:00 +1100

On Wed, 2003-02-05 at 17:44, Sean Burford wrote:
> Hi,
>
> Digest Authentication in Squid 2.5 stable1 and Squid 2.5 Stable1
> 20030204 is broken. Using src/auth/digest/auth_digest.c, once a user
> has attempted a login further attempts succeed or fail based on the
> success of the first attempt. This is because the credentials_ok flag
> is not reset between attempts.
>
> The attached patch fixes this problem.

It cannot correctly fix the problem. Firstly every auth attempt requires
a correct HA1 and nonce to authenticate, the flag of 3 is used to
indicate failures, not successes.

Secondly, on overlapping requests, there is a race with your solution..
and the extant code.

What needs to be done is have the credentials_ok flag moved to the
request level, not the user level.

See the TODO around line 677.

Cheers,
Rob

-- 
GPG key available at: <http://users.bigpond.net.au/robertc/keys.txt>.

Received on Wed Feb 05 2003 - 01:28:05 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:13 MST