summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2019-09-08 13:55:33 -0400
committerGlenn Strauss <gstrauss@gluelogic.com>2019-09-08 13:55:33 -0400
commit1799e4c3eb819d508726d857e4176e733d555b7b (patch)
tree2aa7f1c4b3a6958db8f0050f64c3bb4beadd000c
parent019efb0ed8ebaee8d23301d921e2c79ff293bab2 (diff)
downloadlighttpd1.4-1799e4c3eb819d508726d857e4176e733d555b7b.tar.gz
lighttpd1.4-1799e4c3eb819d508726d857e4176e733d555b7b.zip
[mod_auth] do not use quoted-string for algorithm
https://www.rfc-editor.org/rfc/rfc7616.txt 3.3. The WWW-Authenticate Response Header Field ... For historical reasons, a sender MUST only generate the quoted string syntax values for the following parameters: realm, domain, nonce, opaque, and qop. For historical reasons, a sender MUST NOT generate the quoted string syntax values for the following parameters: stale and algorithm.
-rw-r--r--src/mod_auth.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/mod_auth.c b/src/mod_auth.c
index e093ce55..61d4c10c 100644
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@@ -868,9 +868,9 @@ static void mod_auth_digest_www_authenticate(buffer *b, time_t cur_ts, const str
}
buffer_append_string_len(b, CONST_STR_LEN("Digest realm=\""));
buffer_append_string_buffer(b, require->realm);
- buffer_append_string_len(b, CONST_STR_LEN("\", charset=\"UTF-8\", algorithm=\""));
+ buffer_append_string_len(b, CONST_STR_LEN("\", charset=\"UTF-8\", algorithm="));
buffer_append_string_len(b, algoname[i], algolen[i]);
- buffer_append_string_len(b, CONST_STR_LEN("\", nonce=\""));
+ buffer_append_string_len(b, CONST_STR_LEN(", nonce=\""));
buffer_append_uint_hex(b, (uintmax_t)cur_ts);
buffer_append_string_len(b, CONST_STR_LEN(":"));
(append_nonce[i])(b, cur_ts, rnd);