< Previous by Date | Date Index | Next by Date > |
Thread Index | Next in Thread > |
Hi, I just came across a serious issue where clients are unable
to authenticate if they send the qop Parameter in a Proxy-Authorization in
quotes. Eg it sends ……,qop=”auth”
instead of …..,qop=auth The code in qopparameter.cxx will classify this as
qopOptions parameter as you can see from the following code: if
(*pb.position() == Symbols::DOUBLE_QUOTE[0]) { pb.reset(anchor); return new QuotedDataParameter(ParameterTypes::qopOptions,
pb, terminators); } else { pb.reset(anchor); return new DataParameter(ParameterTypes::qop, pb,
terminators); } As far as I can see from the RFC it doesn’t say that
the qop parameter in a proxy-authorization must not be quoted, so I seems that
the assumtion this code is making is incorrect. (Even if it was right, there
are clients that send the qop param quoted…) But how to fix it? What would be the correct criteria to
determine which type of parameter it actually is? Why is there a qopOptions and
a qop Parameter at all? Best regards, Matthias Moetje
|