Skip Menu |

This queue is for tickets about the Catalyst-Authentication-Credential-HTTP CPAN distribution.

Report information
The Basics
Id: 84789
Status: new
Priority: 0/
Queue: Catalyst-Authentication-Credential-HTTP

Owner: Nobody in particular
Requestors: bitcard [...]

Bug Information
Severity: Normal
Broken in: 1.015
Fixed in: (no value)


Subject: [PATCH] 400 Error on Digest Auth using python urllib over Proxy
Python's urllib uses an absoluteURI in the Digest header when talking to a proxy. This absoluteURI is not accepted by Catalyst and the request always fails with a 400 status code without even checking the user/password. This surfaced against the MusicBrainz server, using Catalyst for the Digest handling: There are also complete headers available for a test with and without a proxy in between. Additionally there is a test available. You don't need actual MusicBrainz usernames for the test. "test123:123" works fine, since the 400 error occurs even before checking the user/password. Not all clients use an absoluteURI in the digest header, but python's urllib does this. There is a report for python for quite some time and the decision is, that what urllib does is fine according to the RFCs. The absoluteURI should be handled by the server: I have a patch ready which I will submit after the ticket is open (referencing the ticket). Additional info: perl 5.14.2 Ubuntu Linux with 3.2.0 kernel
From: bitcard [...]
Download (untitled) / with headers
text/plain 222b
This is the proposed patch that uses the canonical uri (in addition to the other check possibilites). This fixes my problem. No 400 Error anymore and when the user/password is correct I can submit things fine (200 status).
Subject: 0001-84789-allow-absoluteURI-in-digest-uri-header.patch
From 77a1d955b6152b955707f035d82f6e7ae942db16 Mon Sep 17 00:00:00 2001 From: Johannes Dewender <> Date: Mon, 22 Apr 2013 15:42:15 +0000 Subject: [PATCH] 84789: allow absoluteURI in digest uri header The "uri" part of the digest Authorization header part can contain a complete absoluteURI, including server, port and protocol. Python's urllib does that when talking to a proxy in between. So we also allow "uri" to be the canonical uri. --- lib/Catalyst/Authentication/Credential/ | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/Catalyst/Authentication/Credential/ b/lib/Catalyst/Authentication/Credential/ index e9804d9..6eff75e 100644 --- a/lib/Catalyst/Authentication/Credential/ +++ b/lib/Catalyst/Authentication/Credential/ @@ -130,8 +130,9 @@ sub authenticate_digest { my $uri = $c->request->uri->path_query; my $algorithm = $res{algorithm} || 'MD5'; my $nonce_count = '0x' . $res{nc}; + my $canon_uri = $c->request->uri->canonical; - my $check = ($uri eq $res{uri} || + my $check = ($uri eq $res{uri} || $canon_uri eq $res{uri} || ($self->broken_dotnet_digest_without_query_string && $c->request->uri->path eq $res{uri})) && ( exists $res{username} ) --

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to