You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@perl.apache.org by Stas Bekman <st...@stason.org> on 2004/08/13 20:15:52 UTC

Re: cvs commit: modperl-2.0/t/hooks authen_digest.t

geoff@apache.org wrote:
> geoff       2004/08/13 11:09:14
> 
>   Modified:    t/hooks  authen_digest.t
>   Log:
>   don't try to guess the nonce format - just make sure it's there
>   
>   Revision  Changes    Path
>   1.4       +1 -1      modperl-2.0/t/hooks/authen_digest.t
>   
>   Index: authen_digest.t
>   ===================================================================
>   RCS file: /home/cvs/modperl-2.0/t/hooks/authen_digest.t,v
>   retrieving revision 1.3
>   retrieving revision 1.4
>   diff -u -r1.3 -r1.4
>   --- authen_digest.t	11 Aug 2004 12:34:45 -0000	1.3
>   +++ authen_digest.t	13 Aug 2004 18:09:14 -0000	1.4
>   @@ -43,7 +43,7 @@
>                 'WWW-Authenticate header contains the proper realm');
>    
>        ok t_cmp($wwwauth,
>   -             qr/nonce="\w+"/,
>   +             qr/nonce="/,
>                 'WWW-Authenticate header contains a nonce');

what if you get nonce="", is that good enough? would it be more correct to 
check:

qr/nonce="[^"]+"/,


-- 
__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org

Re: cvs commit: modperl-2.0/t/hooks authen_digest.t

Posted by Stas Bekman <st...@stason.org>.

Geoffrey Young wrote:
>>what if you get nonce="", is that good enough? would it be more correct
>>to check:
>>
>>qr/nonce="[^"]+"/,
> 
> 
> yeah, I thought about that.  but then I thought that I'm not so sure that I
> care that nonce is implemented properly as I am that it appears at all -
> having a nonce field indicates that ap_note_digest_auth_failure was called,
> while checking the nonce value indicates that it was called and the
> underlying implementation is implementing a correct nonce scheme.
> 
> as an aside, I don't see anything in the RFCs that indicate that nonce="" is
> invalid - 2617 hints that some nonce choices are better than others, but I'm
> not entirely certain that it can't be just an empty string and be RFC
> compliant.  from a technical standpoint it certainly can be - the digest
> mechanism would compute the same digest so long as both parties agreed to
> use "" as the nonce.  so I guess I'm saying that I don't know whether
> nonce="" is valid or not, but I might think so.
> 
> anyway, either way is fine with me - I don't feel strongly one way or the
> other so feel free to change it to the above regex if you like, since it
> would certainly be odd to find nonce="" which would indicate that something
> may have changed over in mod_auth_digest.c.

Sure, I haven't read the RFC so if that's what it says, then let's keep it 
as is. Thanks for checkingt that, Geoff.


-- 
__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org

Re: cvs commit: modperl-2.0/t/hooks authen_digest.t

Posted by Geoffrey Young <ge...@modperlcookbook.org>.

> what if you get nonce="", is that good enough? would it be more correct
> to check:
> 
> qr/nonce="[^"]+"/,

yeah, I thought about that.  but then I thought that I'm not so sure that I
care that nonce is implemented properly as I am that it appears at all -
having a nonce field indicates that ap_note_digest_auth_failure was called,
while checking the nonce value indicates that it was called and the
underlying implementation is implementing a correct nonce scheme.

as an aside, I don't see anything in the RFCs that indicate that nonce="" is
invalid - 2617 hints that some nonce choices are better than others, but I'm
not entirely certain that it can't be just an empty string and be RFC
compliant.  from a technical standpoint it certainly can be - the digest
mechanism would compute the same digest so long as both parties agreed to
use "" as the nonce.  so I guess I'm saying that I don't know whether
nonce="" is valid or not, but I might think so.

anyway, either way is fine with me - I don't feel strongly one way or the
other so feel free to change it to the above regex if you like, since it
would certainly be odd to find nonce="" which would indicate that something
may have changed over in mod_auth_digest.c.

--Geoff

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org