Sylvain Hellegouarch avatar Sylvain Hellegouarch committed 833dd80

Fix for #787 only for digest though as basic responses don't provide the realm

Comments (0)

Files changed (3)

cherrypy/lib/auth.py

 from cherrypy.lib import httpauth
 
 
-def check_auth(users, encrypt=None):
+def check_auth(users, encrypt=None, realm=None):
     """If an authorization header contains credentials, return True, else False."""
     if 'authorization' in cherrypy.request.headers:
         # make sure the provided credentials are correctly set
         # validate the authorization by re-computing it here
         # and compare it with what the user-agent provided
         if httpauth.checkResponse(ah, password, method=cherrypy.request.method,
-                                  encrypt=encrypt):
+                                  encrypt=encrypt, realm=realm):
             cherrypy.request.login = ah["username"]
             return True
     
     realm: a string containing the authentication realm.
     users: a dict of the form: {username: password} or a callable returning a dict.
     """
-    if check_auth(users):
+    if check_auth(users, realm=realm):
         return
     
     # inform the user-agent this path is protected

cherrypy/lib/httpauth.py

                    HTML page.
     """
 
+    if auth_map['realm'] != kwargs.get('realm', None):
+        return False
+    
     response =  _computeDigestResponse(auth_map, password, method, A1,**kwargs)
 
     return response == auth_map["response"]

cherrypy/test/test_httpauth.py

         elif tokens['qop'] != '"auth"':
             self._handlewebError(bad_value_msg % ('qop', '"auth"', tokens['qop']))
 
-            # now let's see if what 
+        # Test a wrong 'realm' value
+        base_auth = 'Digest username="test", realm="wrong realm", nonce="%s", uri="/digest/", algorithm=MD5, response="%s", qop=auth, nc=%s, cnonce="1522e61005789929"'
+
+        auth = base_auth % (nonce, '', '00000001')
+        params = httpauth.parseAuthorization(auth)
+        response = httpauth._computeDigestResponse(params, 'test')
+        
+        auth = base_auth % (nonce, response, '00000001')
+        self.getPage('/digest/', [('Authorization', auth)])
+        self.assertStatus('401 Unauthorized')
+        
+        # Test that must pass
         base_auth = 'Digest username="test", realm="localhost", nonce="%s", uri="/digest/", algorithm=MD5, response="%s", qop=auth, nc=%s, cnonce="1522e61005789929"'
 
         auth = base_auth % (nonce, '', '00000001')
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.