develooper Front page | perl.libwww | Postings from January 2002

[PATCH] Avoiding infinite recursion in LWP::Authen::Digest

Thread Next
From:
Jeremy Howard
Date:
January 24, 2002 09:13
Subject:
[PATCH] Avoiding infinite recursion in LWP::Authen::Digest
Message ID:
00ee01c1a487$021008b0$0101460a@optimaldecisions.com
I found that using LWP::Authen::Digest with an incorrect password causes
infinite recursion. This is because the auth string changes each time as the
nonce changes. Patch follows. It can be applied with:
#  patch -l -p0 < lwp-authen.diff
(assuming you name the attached "lwp-authen.diff")
--------

--- Authen/Digest.pm    Wed Nov 28 03:35:35 2001
+++ Authen/Digest.pm.new        Wed Jan 23 11:04:39 2002
@@ -70,11 +70,17 @@
     my $r = $response;
     while ($r) {
        my $auth = $r->request->header($auth_header);
-       if ($auth && $auth eq $auth_value) {
-           # here we know this failed before
-           $response->header("Client-Warning" =>
-                             "Credentials for '$user' failed before");
-           return $response;
+       if ($auth) {
+    my ($thisuser, $thisrealm, $thisuri) =
+      ($auth =~ /username="(.*?)".*realm="(.*?)".*uri="(.*?)"/);
+    my ($lastuser, $lastrealm, $lasturi) =
+      ($auth_value =~ /username="(.*?)".*realm="(.*?)".*uri="(.*?)"/);
+    if ($thisuser eq $lastuser && $thisrealm eq $lastrealm && $thisuri eq
$lasturi) {
+      # here we know this failed before
+      $response->header("Client-Warning" =>
+            "Credentials for '$user' failed before");
+      return $response;
+    }
        }
        $r = $r->previous;
     }
----



Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About