Issue #787 resolved

xxx_auth does not check realm in request headers

created an issue

auth module does not check that the realm in the request headers matches the realm in the config.

auth.basic_auth and auth.digest_auth should pass 'realm' to check_auth.

add lines:

if realm != ah["realm"]: return False

at about line 12 in auth.check_auth()

Comments (3)

  1. Anonymous

    Fixed in [1891] for the current trunk (3.1) and [1892] for the 3.0.x branch. This only check the realm value when using digest since it doesn't seem that the basic response contains the realm value (RFC 2617 is misleading on that one).

  2. Log in to comment