DigestAuthenticator.java

markt Tue, 12 Jun 2012 06:24:18 -0700

Author: markt
Date: Tue Jun 12 13:23:53 2012
New Revision: 1349317

URL: http://svn.apache.org/viewvc?rev=1349317&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=52954
Be tolerant of slightly broken Android implementation of DIGEST auth. Security 
is not impacted.


Modified:
    tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=1349317&r1=1349316&r2=1349317&view=diff
==============================================================================
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java 
(original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java 
Tue Jun 12 13:23:53 2012
@@ -566,7 +566,23 @@ public class DigestAuthenticator extends
                     uriQuery = request.getRequestURI() + "?" + query;
                 }
                 if (!uri.equals(uriQuery)) {
-                    return false;
+                    // Some clients (older Android) use an absolute URI for
+                    // DIGEST but a relative URI in the request line.
+                    // request. 2.3.5 < fixed Android version <= 4.0.3
+                    String host = request.getHeader("host");
+                    String scheme = request.getScheme();
+                    if (host != null && !uriQuery.startsWith(scheme)) {
+                        StringBuilder absolute = new StringBuilder();
+                        absolute.append(scheme);
+                        absolute.append("://");
+                        absolute.append(host);
+                        absolute.append(uriQuery);
+                        if (!uri.equals(absolute.toString())) {
+                            return false;
+                        }
+                    } else {
+                        return false;
+                    }
                 }
             }
 
@@ -625,7 +641,9 @@ public class DigestAuthenticator extends
                 if (cnonce == null || nc == null) {
                     return false;
                 }
-                if (nc.length() != 8) {
+                // RFC 2617 says nc must be 8 digits long. Older Android 
clients
+                // use 6. 2.3.5 < fixed Android version <= 4.0.3
+                if (nc.length() < 6 || nc.length() > 8) {
                     return false;
                 }
                 long count;



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1349317 - /tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java

Reply via email to