You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@perl.apache.org by Stas Bekman <st...@stason.org> on 2004/08/13 20:15:52 UTC
Re: cvs commit: modperl-2.0/t/hooks authen_digest.t
geoff@apache.org wrote:
> geoff 2004/08/13 11:09:14
>
> Modified: t/hooks authen_digest.t
> Log:
> don't try to guess the nonce format - just make sure it's there
>
> Revision Changes Path
> 1.4 +1 -1 modperl-2.0/t/hooks/authen_digest.t
>
> Index: authen_digest.t
> ===================================================================
> RCS file: /home/cvs/modperl-2.0/t/hooks/authen_digest.t,v
> retrieving revision 1.3
> retrieving revision 1.4
> diff -u -r1.3 -r1.4
> --- authen_digest.t 11 Aug 2004 12:34:45 -0000 1.3
> +++ authen_digest.t 13 Aug 2004 18:09:14 -0000 1.4
> @@ -43,7 +43,7 @@
> 'WWW-Authenticate header contains the proper realm');
>
> ok t_cmp($wwwauth,
> - qr/nonce="\w+"/,
> + qr/nonce="/,
> 'WWW-Authenticate header contains a nonce');
what if you get nonce="", is that good enough? would it be more correct to
check:
qr/nonce="[^"]+"/,
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: cvs commit: modperl-2.0/t/hooks authen_digest.t
Posted by Stas Bekman <st...@stason.org>.
Geoffrey Young wrote:
>>what if you get nonce="", is that good enough? would it be more correct
>>to check:
>>
>>qr/nonce="[^"]+"/,
>
>
> yeah, I thought about that. but then I thought that I'm not so sure that I
> care that nonce is implemented properly as I am that it appears at all -
> having a nonce field indicates that ap_note_digest_auth_failure was called,
> while checking the nonce value indicates that it was called and the
> underlying implementation is implementing a correct nonce scheme.
>
> as an aside, I don't see anything in the RFCs that indicate that nonce="" is
> invalid - 2617 hints that some nonce choices are better than others, but I'm
> not entirely certain that it can't be just an empty string and be RFC
> compliant. from a technical standpoint it certainly can be - the digest
> mechanism would compute the same digest so long as both parties agreed to
> use "" as the nonce. so I guess I'm saying that I don't know whether
> nonce="" is valid or not, but I might think so.
>
> anyway, either way is fine with me - I don't feel strongly one way or the
> other so feel free to change it to the above regex if you like, since it
> would certainly be odd to find nonce="" which would indicate that something
> may have changed over in mod_auth_digest.c.
Sure, I haven't read the RFC so if that's what it says, then let's keep it
as is. Thanks for checkingt that, Geoff.
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: cvs commit: modperl-2.0/t/hooks authen_digest.t
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
> what if you get nonce="", is that good enough? would it be more correct
> to check:
>
> qr/nonce="[^"]+"/,
yeah, I thought about that. but then I thought that I'm not so sure that I
care that nonce is implemented properly as I am that it appears at all -
having a nonce field indicates that ap_note_digest_auth_failure was called,
while checking the nonce value indicates that it was called and the
underlying implementation is implementing a correct nonce scheme.
as an aside, I don't see anything in the RFCs that indicate that nonce="" is
invalid - 2617 hints that some nonce choices are better than others, but I'm
not entirely certain that it can't be just an empty string and be RFC
compliant. from a technical standpoint it certainly can be - the digest
mechanism would compute the same digest so long as both parties agreed to
use "" as the nonce. so I guess I'm saying that I don't know whether
nonce="" is valid or not, but I might think so.
anyway, either way is fine with me - I don't feel strongly one way or the
other so feel free to change it to the above regex if you like, since it
would certainly be odd to find nonce="" which would indicate that something
may have changed over in mod_auth_digest.c.
--Geoff
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org