diff options
authorGlenn Strauss <>2019-09-08 15:07:25 -0400
committerGlenn Strauss <>2019-09-08 15:14:26 -0400
commitc81bd354b258121f6491f44f924bc7c715bd9389 (patch)
parent1799e4c3eb819d508726d857e4176e733d555b7b (diff)
[mod_auth] require digest uri= match original URI
lighttpd requires a strict match between the request URI and the uri= auth-param provided in the Authenticate header. lighttpd does not attempt to determine if different URIs are semantically equivalent. This commit removes a condition which permitted an Authenticate header with a uri= containing a query-string to be used with the request-uri which did not contain any query-string. The condition was likely added in the original implementation which operated on lighttpd request.uri instead of the correct request.orig_uri (original URI sent to lighttpd). . HTTP Digest Access Authentication 3.4.6. Various Considerations The authenticating server MUST assure that the resource designated by the "uri" parameter is the same as the resource specified in the Request-Line; if they are not, the server SHOULD return a 400 Bad Request error. (Since this may be a symptom of an attack, server implementers may want to consider logging such errors.) The purpose of duplicating information from the request URL in this field is to deal with the possibility that an intermediate proxy may alter the client's Request-Line. This altered (but presumably semantically equivalent) request would not result in the same digest as that calculated by the client. x-ref: "HTTP Digest Access Authentication" "HTTP digest authentication not compatible with some clients"
1 files changed, 1 insertions, 3 deletions
diff --git a/src/mod_auth.c b/src/mod_auth.c
index 61d4c10c..49ab7a85 100644
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@@ -1076,9 +1076,7 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d,
* uri sent in client request. */
const size_t ulen = strlen(uri);
- const size_t rlen = buffer_string_length(con->request.orig_uri);
- if (!buffer_is_equal_string(con->request.orig_uri, uri, ulen)
- && !(rlen < ulen && 0 == memcmp(con->request.orig_uri->ptr, uri, rlen) && uri[rlen] == '?')) {
+ if (!buffer_is_equal_string(con->request.orig_uri, uri, ulen)) {
log_error_write(srv, __FILE__, __LINE__, "sbsssB",
"digest: auth failed: uri mismatch (", con->request.orig_uri, "!=", uri, "), IP:", con->dst_addr_buf);