Package: libwww-perl
Version: 6.36-2
Severity: normal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
while implementing Digest Auth for AnyEvent::HTTP i found an issue in
LWP::UserAgent Digest Authen. The whole code for creating the
"message-digest" is broken/ineffective as there seems to be a stray
md5->reset:
/usr/share/perl5/LWP/Authen/Digest.pm
50 if($request->method =~ /^(?:POST|PUT)$/) {
51 $md5->add($request->content);
52 my $content = $md5->hexdigest;
53 $md5->reset;
54 $md5->add(join(":", @digest[0..1], $content));
55 $md5->reset;
56 $resp{"message-digest"} = $md5->hexdigest;
57 push(@order, "message-digest");
58 }
As the md5 object is beeing reset before the md5->hexdigest is beeing
extracted it will always return the md5 null value hexdigest:
flo@p4:~$ perl -MDigest::MD5 -e '$m=new Digest::MD5; print "Init " .
$m->hexdigest() . "\n"; $m->add("Foo"); print "Foo " . $m->hexdigest() .
"\n"; $m->reset(); print "Reset " . $m->hexdigest . "\n";'
Init d41d8cd98f00b204e9800998ecf8427e
Foo 1356c67d7ad1638d816bfb822dd2c25d
Reset d41d8cd98f00b204e9800998ecf8427e
I also failed to find the corresponding RFC describing the message-digest auth
request field.
Flo
- -- System Information:
Debian Release: 10.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500,
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.8.0-0.bpo.2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libwww-perl depends on:
ii ca-certificates 20200601~deb10u1
ii libencode-locale-perl 1.05-1
ii libfile-listing-perl 6.04-1
ii libhtml-parser-perl 3.72-3+b3
ii libhtml-tagset-perl 3.20-3
ii libhtml-tree-perl 5.07-2
ii libhttp-cookies-perl 6.04-1
ii libhttp-date-perl 6.02-1
ii libhttp-message-perl 6.18-1
ii libhttp-negotiate-perl 6.01-1
ii liblwp-mediatypes-perl 6.02-1
ii liblwp-protocol-https-perl 6.07-2
ii libnet-http-perl 6.18-1
ii libtry-tiny-perl 0.30-1
ii liburi-perl 1.76-1
ii libwww-robotrules-perl 6.02-1
ii netbase 5.6
ii perl 5.28.1-6+deb10u1
Versions of packages libwww-perl recommends:
ii libdata-dump-perl 1.23-1
ii libhtml-form-perl 6.03-1
ii libhtml-format-perl 2.12-1
ii libhttp-daemon-perl 6.01-3
ii libmailtools-perl 2.18-1
Versions of packages libwww-perl suggests:
pn libauthen-ntlm-perl <none>
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEdb9o7oebX2papQ/KkN1BIMsJ8i8FAl+tKT8ACgkQkN1BIMsJ
8i9ptg/5AasYlgD7zF44xi+8DeaiNR6xqpZTLDTkGaXq5Fb3DKFgdvRjrkwAPhz4
kW2qSFmL7p/aE0/hcD0cuz2VD+MiIQIWUdfyWYihg810qdJyAvkTzk/Rr2p5LQR3
JGny7Jk7idAv/rqLjd7M8wKrs9TWQZ4180GG6ibGsFtiMlngIV3oeIfXFCXemfSU
lJsJmN2Cfx3PM7V1UhPdw+XaJXCxZrHeBEtGG+t3YkLTYjR9v17u+8x+ALB5zK32
cubyC7vvaYpLFt1K+XEamfkoB3vU4/3QPrLp57Cy27NROrA3smASAclyeUnxlwsk
w3lSU8CqcdlpwFH2zjlXdL0BeUzz0C1bMfu8eVchxyByVvLaTzAiPQQqvUSNZue/
6CdQh+EAqd8cK3wtD4koPO8kxPhl9T3w4DLEB2G2WMDPA4x4W0pV2EsAGOTFHtNr
+KmA47l1LQ69Z05DrjIm7eyKUzzK5r6Trg57obWpPW9+aYpYIaum+gl0U50+2oiZ
JRsTt+NiHjnvvKFif4ZQUpH515OuKgIBH7pwi0G/jh8fDr83RoYFw3Llf1npA746
fzLlrRrKVkDVN3ga1yqVfSMFrxWYQOtkTiiBmrEtaJEx8vMUHza+qwCwovwNo/63
+5i25kInC3eoFyBKz45D1pYlhLaYlbGRbWp6K4AsPVfQCv2Lez8=
=Qju8
-----END PGP SIGNATURE-----
