Hi, after some digging i guess i can explain where this code comes from. In March 1996 the 3rd Draft of the "Digest Access Authentication" contained the message-digest as optional.
https://tools.ietf.org/html/draft-ietf-http-digest-aa-03 The purpose of the <message-digest> is to allow the server to ensure that the content of the request body has not been tampered with after leaving the client. This would normally be used with a POST or PUT request and would allow the server to check the validity of the posted data. The <entity-body> is the "entity body" as prescribed in the Hypertext Transfer Protocol version 1.1. Just 3 Months later it was dropped from the Draft: https://tools.ietf.org/html/draft-ietf-http-digest-aa-04 No mentioning of the "message-digest". So the LWP::UserAgent Digest Authentication code was written against the Draft 3 in 1996 and when that draft was updated and later got into the Standard Track nobody removed that code. That code has never been tested or has been functional. I would propose to remove these lines: 50 if($request->method =~ /^(?:POST|PUT)$/) { 51 $md5->add($request->content); 52 my $content = $md5->hexdigest; 53 $md5->reset; 54 $md5->add(join(":", @digest[0..1], $content)); 55 $md5->reset; 56 $resp{"message-digest"} = $md5->hexdigest; 57 push(@order, "message-digest"); 58 } Flo -- Florian Lohoff f...@zz.de UTF-8 Test: The 🐈 ran after a 🐁, but the 🐁 ran away
signature.asc
Description: PGP signature
