Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 92660 - Links browser responds to WWW-Authenticate: Digest challenge with Authorization: Basic
Summary: Links browser responds to WWW-Authenticate: Digest challenge with Authorizati...
Status: RESOLVED NEEDINFO
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Unspecified (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Marcelo Goes (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-14 18:45 UTC by eric.williams
Modified: 2005-06-07 14:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description eric.williams 2005-05-14 18:45:58 UTC 
This looks like an upstream issue, if it's not a Links config problem.

I was testing Digest authentication with a servlet under JBoss that I've developed (though I suspect Apache could reproduce this as well, with some work; I'd have to try it).

It turns out that Links is recognizing the WWW-Authenticate: Digest header in the 401 response and prompts the user for username and password -- but then turns around and sends an Authorization: Basic <base64-encoded> response.

This is quite obviously wrong, though it's not a security concern as such, just a bug.

(This is links-2.1_pre17.)

Reproducible: Always
Steps to Reproduce:
1. Configure Apache, JBOSS, or other such to enable Digest authentication.  (I ran into this bug because I'm doing some custom code that works very well with Mozilla/Firefox -- and even with IE.)
2. 'emerge links' if necessary.
3. Turn on a sniffer.  I use tcpdump but there are presumably others.
4. Try to access the website using Links and using Mozilla or Firefox.
5. Look at the dumped packets.
Actual Results:  
Mozilla works fine; authentication proceeds and the response comes back.

Links gets a 400 Bad Request error.  The logs on the servlet side (in JBoss, at
least) clearly show the bad header coming back.

(For what it's worth, Lynx (another browser) is showing more or less correct
behavior, if only because it can't understand Digest authentication so it
basically gives up and shows the 401 response.)

Expected Results:  
A good question.  Ideally, Links would fully implement RFC2617, or at least
enough to do the right thing by Apache.  Either that, or it could spit out a
message locally stating that "sorry, we don't do Digest Authentication", to warn
the user.

See http://www.ietf.org/rfc/rfc2616.txt and http://www.ietf.org/rfc/rfc2617.txt
for the gory details.

Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130,
glibc-2.3.4.20041102-r1, 2.6.10-gentoo-r6 i686)
=================================================================
System uname: 2.6.10-gentoo-r6 i686 AMD Athlon(TM) XP 1600+
Gentoo Base System version 1.4.16
Python:              dev-lang/python-2.3.5 [2.3.5 (#1, Apr 29 2005, 20:55:04)]
distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
dev-lang/python:     2.3.5
sys-apps/sandbox:    [Not Present]
sys-devel/autoconf:  2.59-r6, 2.13
sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.5
sys-devel/binutils:  2.15.92.0.2-r7
sys-devel/libtool:   1.5.16
virtual/os-headers:  2.6.8.1-r1, 2.6.8.1-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -mcpu=athlon-xp -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.2/share/config
/usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown
/usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref
/usr/share/config /usr/share/texmf/dvipdfm/config/
/usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/
/usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -mcpu=athlon-xp -march=i686 -pipe"
DISTDIR="/data/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
LANG="en_US.iso88591"
MAKEOPTS="-j3"
PKGDIR="/usr/portage_packages.aurigae"
PORTAGE_TMPDIR="/data/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 3dnow X aalib acpi acpi4linux alsa apm arts avi berkdb bitmap-fonts cdr
crypt cups curl eds emboss encode esd f77 fam flac foomaticdb fortran gd gdbm
ggi gif gimpprint gnome gnomedb gpm gstreamer gtk gtk2 guile imagemagick imlib
ipv6 jack java jpeg junit kde libg++ libwww mad mikmod mmx motif mozilla mp3
mpeg nas ncurses nls nptl ogg oggvorbis opengl oss pam pdflib perl png postgres
ppds python qt quicktime readline sdl slang snmp spell ssl tcltk tcpd tetex tiff
truetype truetype-fonts type1-fonts unicode vorbis xine xml2 xmms xv zlib
video_cards_fglrx video_cards_radeon userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CBUILD, CTARGET, LC_ALL, LDFLAGS, LINGUAS
Comment 1 Marcelo Goes (RETIRED) gentoo-dev 2005-05-15 11:28:00 UTC 
Hi there,

Thanks for bringing the bug up.
Have you a) tested a hand-compiled version b) contacted upstream?

This does look like an upstream problem, where they would be more apt to solve it quickly.
Comment 2 Marcelo Goes (RETIRED) gentoo-dev 2005-05-25 10:57:02 UTC 
Please re-open if a handcompiled version yields a different result.
Otherwise I am taking this is an upstream issue and should be reported to them.
Comment 3 Marcelo Goes (RETIRED) gentoo-dev 2005-06-07 14:18:26 UTC 
A patch from upstream is in -r2 for testing.