possible incorrect check of cn parameter in httpauth.py

Anonymous avatarAnonymous created an issue

I have a questions about function _parseDigestAuthorization lines 144-146 in lib/httpauth.py

            # If qop is sent then cnonce and cn MUST be present
 	    if params.has_key("qop") and not params.has_key("cnonce") \
	                                  and params.has_key("cn"):

I don't know what "cn" is. I don't see where it's used in CherryPy code or in RFC2617. (Maybe it's used in some other RFC, but I don't know which one would be relevant.) "nc" is used in the CherryPy code and RFC2617, so maybe "cn" is a typo for "nc"?

The comment says that "cn" must be present, but the code returns error (None) if it is present. Maybe missing ()?

The code would make more sense to me if it was:

 	    if params.has_key("qop") and not (params.has_key("cnonce") \
	                                      and params.has_key("nc")):

This code has been stable for quite some time, so I apologize in advance if I'm misunderstanding things.

Reported by garlic39@es3.us

Comments (2)

  1. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.