View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004636 | libmicrohttpd | digest authentication (HTTP) | public | 2016-09-02 11:01 | 2016-10-17 19:21 |
| Reporter | 0xda7aba5e | Assigned To | Christian Grothoff | ||
| Priority | normal | Severity | minor | Reproducibility | N/A |
| Status | closed | Resolution | fixed | ||
| Product Version | 0.9.51 | ||||
| Target Version | 0.9.52 | Fixed in Version | 0.9.52 | ||
| Summary | 0004636: non-sequential nonce count | ||||
| Description | Browsers maybe send there nonce-count in an non-sequential order. In file "src/microhttpd/digestauth.c" the function "check_nonce_nc" only accepts ascending nonce-count values: Request 1: nc=1 Request 2: nc=2 Request 3: nc=5 It should be possible that a nonce-count value is lower than a nonce-count sent before: Request 1: nc=1 Request 2: nc=2 Request 3: nc=5 Request 4: nc=3 Request 5: nc=4 Request 6: nc=6 Such a sequence causes a 401 response. | ||||
| Tags | No tags attached. | ||||
|
|
Ok, I guess we should keep a bit mask in addition to the counter to allow this. |
|
|
Implemented in SVN 37899. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2016-09-02 11:01 | 0xda7aba5e | New Issue | |
| 2016-09-04 18:17 | Christian Grothoff | Note Added: 0011087 | |
| 2016-09-04 18:17 | Christian Grothoff | Assigned To | => Christian Grothoff |
| 2016-09-04 18:17 | Christian Grothoff | Status | new => assigned |
| 2016-09-04 18:17 | Christian Grothoff | Target Version | => 0.9.52 |
| 2016-09-06 23:42 | Christian Grothoff | Note Added: 0011095 | |
| 2016-09-06 23:42 | Christian Grothoff | Status | assigned => resolved |
| 2016-09-06 23:42 | Christian Grothoff | Fixed in Version | => 0.9.52 |
| 2016-09-06 23:42 | Christian Grothoff | Resolution | open => fixed |
| 2016-10-17 19:21 | Christian Grothoff | Status | resolved => closed |
