Ticket #759 (defect)
Opened 8 months ago
Last modified 6 months ago
possible incorrect check of cn parameter in httpauth.py
Status: closed (fixed)
| Reported by: | garlic39@es3.us | Assigned to: | rdelon |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.1 |
| Component: | CherryPy code | Keywords: | |
| Cc: |
I have a questions about function _parseDigestAuthorization lines 144-146 in lib/httpauth.py
# If qop is sent then cnonce and cn MUST be present
if params.has_key("qop") and not params.has_key("cnonce") \
and params.has_key("cn"):
I don't know what "cn" is. I don't see where it's used in CherryPy code or in RFC2617. (Maybe it's used in some other RFC, but I don't know which one would be relevant.) "nc" is used in the CherryPy code and RFC2617, so maybe "cn" is a typo for "nc"?
The comment says that "cn" must be present, but the code returns error (None) if it is present. Maybe missing ()?
The code would make more sense to me if it was:
if params.has_key("qop") and not (params.has_key("cnonce") \
and params.has_key("nc")):
This code has been stable for quite some time, so I apologize in advance if I'm misunderstanding things.
Change History
01/16/08 16:35:37: Modified by lawouach
- status changed from new to closed.
- resolution set to fixed.
- milestone set to 3.1.
Fixed in [1866]
Good catch.