Fix malformed Digest Authorization header for multi-value qop (fixes #441)#479
Open
rgaufman wants to merge 1 commit into
Open
Fix malformed Digest Authorization header for multi-value qop (fixes #441)#479rgaufman wants to merge 1 commit into
rgaufman wants to merge 1 commit into
Conversation
parse_challenge_param split the WWW-Authenticate challenge on every comma,
including the one inside a quoted qop list such as qop="auth,auth-int". That
mis-parsed qop as %{"auth} and produced a malformed request header:
Authorization: Digest ..., qop="auth, response="...
(an unclosed qop quote that swallows the response= field). Lenient servers
ignore it; stricter ones reject the request, and some embedded camera web
servers choke on it entirely.
- parse_challenge_param: quote-aware split, so qop="auth,auth-int" is kept
intact rather than broken at the inner comma.
- calc_cred: send exactly one unquoted qop-value (RFC 2617 message-qop),
preferring "auth", and compute the response digest with that same value.
Adds test_digest_auth_multi_value_qop.
Fixes nahi#441
rgaufman
force-pushed
the
fix-digest-qop-multivalue-441
branch
from
July 17, 2026 13:33
5b4f934 to
76ba2f3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #441.
The bug
When a server offers more than one qop-option as a quoted, comma-separated list in the challenge (RFC 2617 / 7616 allow this), e.g.
parse_challenge_paramsplits the challenge on every comma, including the one inside the quotes. Soqop="auth,auth-int"is parsed asqop => %{"auth}(a leading double-quote, truncated) plus a junkauth-int"key.calc_credthen emits a malformed request header:The
qopquote is never closed and it swallows theresponse=field. Lenient servers ignore the surplus, but stricter ones reject the request. In the wild this also hard-crashes some embedded-camera web servers (observed on Shenzhen TVT "Cross Web Server" devices: the socket EOFs mid-response and the camera reboots), because Savon / HTTPI use httpclient for their SOAP/ONVIF calls.This is the same case #27 noted but left unhandled ("RFC 2617 includes an example
qop="auth,auth-int"though...").The fix
parse_challenge_param: quote-aware split, soqop="auth,auth-int"is kept intact instead of broken at the inner comma. Bare (unquoted) values keep working.calc_cred: the Authorization request header must carry exactly one unquoted qop-value (message-qop = "qop" "=" qop-value). Selectauthwhen offered (auth-int additionally requires hashing the entity body), else the first option, and compute the response digest with that same value so the header and digest stay consistent.Result:
Tests
Adds
test_digest_auth_multi_value_qop. Fulltest/test_auth.rbsuite passes (28 tests, 71 assertions, 0 failures) on Ruby 4.0.