Handle out-of-order parameters to http digest auth

2025-12-15 20:29:03 +00:00 · 2016-08-12 23:44:43 +00:00
parent e31c4fe64e
commit 2e191df64d
1 changed files with 50 additions and 2 deletions
--- a/nselib/sasl.lua
+++ b/nselib/sasl.lua
@@ -85,8 +85,9 @@ if HAVE_SSL then
    -- regardless of what RFC says
    parseChallenge = function(self)
      local results = {}
-      local start, stop = 0,0
      if self.chall then
+        local start, stop = self.chall:find("^[Dd][Ii][Gg][Ee][Ss][Tt]%s+")
+        stop = stop or 0
        while(true) do
          local name, value
          start, stop, name = self.chall:find("([^=]*)=%s*", stop + 1)
@@ -97,7 +98,7 @@ if HAVE_SSL then
            start, stop, value = self.chall:find("([^,]*)", stop + 1)
          end
          name = name:lower()
-          if name == "digest realm" then name="realm" end
+          --if name == "digest realm" then name="realm" end
          self.challnvs[name] = value
          start, stop = self.chall:find("%s*,%s*", stop + 1)
          if ( not(start) ) then break end
@@ -458,4 +459,51 @@ Helper = {
  end,
 }

+local unittest = require "unittest"
+
+if not unittest.testing() then
+  return _ENV
+end
+
+test_suite = unittest.TestSuite:new()
+
+local _ = "ignored"
+
+local object = DigestMD5:new('Digest realm="test", domain="/HTTP/Digest",\z
+  nonce="c8563a5b367e66b3693fbb07a53a30ba"',
+  _, _, _, _)
+test_suite:add_test(unittest.keys_equal(
+    object.challnvs,
+    {
+      nonce='c8563a5b367e66b3693fbb07a53a30ba',
+      realm='test',
+      domain='/HTTP/Digest',
+    }
+  ))
+
+object = DigestMD5:new('Digest nonce="9e4ab724d272474ab13b64d75300a47b", \z
+  opaque="de40b82666bd5fe631a64f3b2d5a019e", \z
+  realm="me@kennethreitz.com", qop=auth',
+  _, _, _, _)
+test_suite:add_test(unittest.keys_equal(
+    object.challnvs,
+    {
+      nonce='9e4ab724d272474ab13b64d75300a47b',
+      opaque='de40b82666bd5fe631a64f3b2d5a019e',
+      realm='me@kennethreitz.com',
+      qop='auth',
+    }
+  ))
+
+object = DigestMD5:new('realm=test, domain="/HTTP/Digest",\tnonce=c8563a5b367e66b3693fbb07a53a30ba',
+  _, _, _, _)
+test_suite:add_test(unittest.keys_equal(
+    object.challnvs,
+    {
+      nonce='c8563a5b367e66b3693fbb07a53a30ba',
+      realm='test',
+      domain='/HTTP/Digest',
+    }
+  ))
+
 return _ENV;