Rails core - Jun 2011 - Bug in digest authentication

I''ve done a search of the mailing list and not found anything
informative, but possibly missed something, this is my first comment
on this mailing list.

From RFC 2617 - http://tools.ietf.org/html/rfc2617 - which specifies
Digest Authentication, the section discussing the "digest-uri''
element
states:

"digest-uri
     The URI from Request-URI of the Request-Line; duplicated here
     because proxies are allowed to change the Request-Line in
transit."

and the detailed discussion on calculation of the digest value
specifically says:

"where "digest-uri-value" is the value of the "uri"
directive on the
Authorization header in the request."

That is, the "digest-uri" provided in the Authorization header is what
should be used in calculating the digest for authentication purposes,
not the request URI - because that string may change between the
client and the ultimate server responding to the request.

However, it looks like this has been implemented incorrectly in Rails
ActionController::HttpAuthentication for some time - for example from
actionpack-3.0.7/lib/action_controller/metal/http_authentication.rb
line 188:

    uri    = credentials[:uri][0,1] == ''/'' ? request.fullpath
:
request.url

This should be simply:

    uri = credentials[:uri]

We ran into this bug when switching from a java-Spring-Acegi
authentication handler to Rails HttpAuthentication. It had always
worked perfectly with Acegi. Rails digest authentication worked fine
when connecting directly to the server it was installed on, but when
connecting to a front-end server that rewrites the URL''s, Rails digest
authentication always failed. With the above patch, digest
authentication works correctly again.

If there''s a need to verify that the digest-uri matches in some way
the request uri the server should do that separately from the actual
digest authentication piece, which should just match the
specifications of RFC 2617. Agreed?

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.

Having heard no response here...

I posted on github with a fix - issue #2323:

https://github.com/rails/rails/pull/2323

   Arthur

On Fri, Jun 10, 2011 at 3:32 PM, Arthur  Smith <arthurpsmith@gmail.com>
wrote:
> I''ve done a search of the mailing list and not found anything
> informative, but possibly missed something, this is my first comment
> on this mailing list.
>
> From RFC 2617 - http://tools.ietf.org/html/rfc2617 - which specifies
> Digest Authentication, the section discussing the
"digest-uri'' element
> states:
>
> "digest-uri
>     The URI from Request-URI of the Request-Line; duplicated here
>     because proxies are allowed to change the Request-Line in
> transit."
>
> and the detailed discussion on calculation of the digest value
> specifically says:
>
> "where "digest-uri-value" is the value of the
"uri" directive on the
> Authorization header in the request."
>
> That is, the "digest-uri" provided in the Authorization header is
what
> should be used in calculating the digest for authentication purposes,
> not the request URI - because that string may change between the
> client and the ultimate server responding to the request.
>
> However, it looks like this has been implemented incorrectly in Rails
> ActionController::HttpAuthentication for some time - for example from
> actionpack-3.0.7/lib/action_controller/metal/http_authentication.rb
> line 188:
>
>    uri    = credentials[:uri][0,1] == ''/'' ?
request.fullpath :
> request.url
>
> This should be simply:
>
>    uri = credentials[:uri]
>
> We ran into this bug when switching from a java-Spring-Acegi
> authentication handler to Rails HttpAuthentication. It had always
> worked perfectly with Acegi. Rails digest authentication worked fine
> when connecting directly to the server it was installed on, but when
> connecting to a front-end server that rewrites the URL''s, Rails
digest
> authentication always failed. With the above patch, digest
> authentication works correctly again.
>
> If there''s a need to verify that the digest-uri matches in some
way
> the request uri the server should do that separately from the actual
> digest authentication piece, which should just match the
> specifications of RFC 2617. Agreed?
>
> --
> You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.