Ticket #121 (closed Defect: Fixed)
Wrong WWW-Authenticate header: 'opaque' contains \n
| Reported by: | ibc | Owned by: | adigeo |
|---|---|---|---|
| Priority: | Major | Milestone: | OpenXCAP 1.2.0 |
| Component: | Authentication and authorization | Version: | trunk |
| Severity: | Critical | Keywords: | |
| Cc: |
Description
The 'opaque' field returned by OpenXCAP contains an invalid \n char (always):
HTTP/1.1 401 Unauthorized Date: Thu, 23 Jul 2009 14:01:47 GMT Content-Length: 141 Content-Type: text/html WWW-Authenticate: digest nonce="425824483285376922361459309552171410484704700167876915741", opaque="a2e3c0d7811739db2cb541bdbe167fb2-NDI1ODI0NDgzMjg1Mzc2OTIyMzYxNDU5MzA5NTUyMTcxNDEwNDg0NzA0NzAwMTY3ODc2OTE1NzQx LDIxMi4yMzAuMjUzLjI1NCwxMjQ4MzU3NzA3", realm="domain.net", algorithm="MD5", qop="auth" Server: OpenXCAP/1.1.0
Note that the line "LDIxMi4yMzAuMjUzLjI1NCwxMjQ4MzU3NzA3" is part of the 'opaque' field but is separated by a new line.
PS: is it required 'opaque' field being so long?
Change History
comment:1 Changed 3 years ago by ibc
- Version changed from 1.1.0 to trunk
- Component changed from XCAP server to Authentication and authorization
- Milestone changed from Nice to have to OpenXCAP 1.2.0
comment:2 Changed 2 years ago by ibc
Is there any new about this report (at least a confirmation)? Digest authentication doesn't work due to this bug.
Thanks.
comment:3 Changed 2 years ago by ibc
I paste a better (and correct) example of a wrong "opaque" field generated by OpenXCAP (includes a wrong \n):
WWW-Authenticate: digest nonce="590736743434601620676526100631886742937128208700172071612", opaque="34bdc2c3861808cbe133d5aa8b59aab8-NTkwNzM2NzQzNDM0NjAxNjIwNjc2NTI2MTAwNjMxODg2NzQyOTM3MTI4MjA4NzAwMTcyMDcxNjEy LDg1LjU4LjE1LjIxNSwxMjU0NjcwMzM5", realm="mydomain.org", algorithm=MD5, qop="auth"
As you can see, the opaque field contains a \n before "LDg1LjU4LjE1LjIxNSwxMjU0NjcwMzM5" making the header invalid.
comment:4 Changed 2 years ago by ibc
Ops, I don't know what happens when pasting the header as code format...
I do a raw pasting:
WWW-Authenticate: digest nonce="590736743434601620676526100631886742937128208700172071612", opaque="34bdc2c3861808cbe133d5aa8b59aab8-NTkwNzM2NzQzNDM0NjAxNjIwNjc2NTI2MTAwNjMxODg2NzQyOTM3MTI4MjA4NzAwMTcyMDcxNjEy LDg1LjU4LjE1LjIxNSwxMjU0NjcwMzM5", realm="mydomain.org", algorithm=MD5, qop="auth"
comment:6 Changed 2 years ago by ibc
Sometimes the cut is at char 208. Example:
WWW-Authenticate: digest nonce="28909354204997572134559718184264679738724443797830264811", opaque="a82ecc97e3bd7a483e5bf9840e708b47-Mjg5MDkzNTQyMDQ5OTc1NzIxMzQ1NTk3MTgxODQyNjQ2Nzk3Mzg3MjQ0NDM3OTc4MzAyNjQ4MTEs ODUuNTguMTUuMjE1LDEyNTQ2NzExODU=", realm="oversip.net", algorithm=MD5, qop="auth"
It seems that it always create a final line of 81 chars, so if the realm is different then the size of the first line changes.
comment:7 Changed 2 years ago by adigeo
- Owner changed from support@ag-projects.com to adigeo
- Status changed from new to accepted
comment:8 Changed 2 years ago by saul
HI,
I've been unable to reproduce the issue both with OpenXCAP 1.1 and 1.2. I suspect the bug is in twisted packages, so please, can you paste the twited package versions:
dpkg -l | grep twisted
and just in case
dpkg -l | grep python
Thanks,
comment:9 follow-up: ↓ 12 Changed 2 years ago by ibc
Yeah!: Debian Lenny 64 bits.
~# dpkg -l | grep twisted ii python-twisted-bin 8.1.0-4 Event-based framework for internet applicati ii python-twisted-conch 1:8.1.0-1 The Twisted SSH Implementation ii python-twisted-core 8.1.0-4 Event-based framework for internet applicati ii python-twisted-names 8.1.0-1 A DNS protocol implementation with client an ii python-twisted-web 8.1.0-1 An HTTP protocol implementation together wit ii python-twisted-web2 8.1.0-1 An HTTP/1.1 Server Framework ~# dpkg -l | grep python ii python 2.5.2-3 An interactive high-level object-oriented la ii python-application 1.1.5 Basic building blocks for Python application ii python-central 0.6.8 register and build utility for Python packag ii python-codespeak-lib 0.9.1-3 The pylib library containing py.test, greenl ii python-crypto 2.0.1+dfsg1-2.3+lenny0 cryptographic algorithms and protocols for P ii python-ctypes 1.0.2-6 Python package to create and manipulate C da ii python-dns 2.3.3-2 pydns - DNS client module for Python ii python-dnspython 1.6.0-1.1 DNS toolkit for Python ii python-docutils 0.5-2 Utilities for the documentation of Python mo ii python-elementtree 1.2.6-12 Light-weight toolkit for XML processing ii python-eventlet 0.8.10 Eventlet is a networking library written in ii python-formencode 1.0.1-1 validation and form generation Python packag ii python-fpconst 0.7.2-4 Utilities for handling IEEE 754 floating poi ii python-gnutls 1.1.8-1 Python wrapper for the GNUTLS library ii python-lxml 2.1.1-2.1 pythonic binding for the libxml2 and libxslt ii python-minimal 2.5.2-3 A minimal subset of the Python language (def ii python-msrplib 0.10.0 MSRP client library, implements RFC4975 and ii python-mysqldb 1.2.2-7 A Python interface to MySQL ii python-openssl 0.7-2 Python wrapper around the OpenSSL library ii python-pam 0.4.2-12 A Python interface to the PAM library ii python-pkg-resources 0.6c8-4 Package Discovery and Resource Access using ii python-pyopenssl 0.7-2 transitional dummy package ii python-roman 0.5-2 A module for generating/analyzing Roman nume ii python-serial 2.3-1 pyserial - module encapsulating access for t ii python-setuptools 0.6c8-4 Python Distutils Enhancements ii python-sipsimple 0.9.0 Python SIP SIMPLE framework ii python-soappy 0.12.0-4 SOAP Support for Python ii python-sqlobject 0.10.4 Python module for SQLObject ii python-support 1.0.3 automated rebuilding support for Python modu ii python-twisted-bin 8.1.0-4 Event-based framework for internet applicati ii python-twisted-conch 1:8.1.0-1 The Twisted SSH Implementation ii python-twisted-core 8.1.0-4 Event-based framework for internet applicati ii python-twisted-names 8.1.0-1 A DNS protocol implementation with client an ii python-twisted-web 8.1.0-1 An HTTP protocol implementation together wit ii python-twisted-web2 8.1.0-1 An HTTP/1.1 Server Framework ii python-xcaplib 1.0.9 Python library for managing XML documents on ii python-xml 0.8.4-10.1 XML tools for Python ii python-zopeinterface 3.3.1-7 The implementation of interface definitions ii python2.4 2.4.6-1 An interactive high-level object-oriented la ii python2.4-dev 2.4.6-1 Header files and a static library for Python ii python2.4-minimal 2.4.6-1 A minimal subset of the Python language (ver ii python2.5 2.5.2-15 An interactive high-level object-oriented la ii python2.5-minimal 2.5.2-15 A minimal subset of the Python language (ver
comment:10 Changed 2 years ago by saul
- Status changed from accepted to closed
- Resolution set to Fixed
Finally found and solved the issue.
The bug is caused by the Twisted library ( http://twistedmatrix.com/trac/ticket/3693) and is now fixed in OpenXCAP. Please update from the darcs repository.
Big thanks to ibc for his detailed report and testing.
comment:11 Changed 2 years ago by ibc
Yeah! te estás ganando el sueldo. Good job.
comment:12 in reply to: ↑ 9 Changed 22 months ago by mike3050
Replying to ibc:
Yeah!: Debian Lenny 64 bits.
~# dpkg -l | grep twisted ii python-twisted-bin 8.1.0-4 Event-based framework for internet applicati ii python-twisted-conch [http://zolpo.com/auto-insurance/ auto insurance quotes]
cheap auto insurance quotes 1:8.1.0-1 The Twisted SSH Implementation
ii python-twisted-core 8.1.0-4 Event-based framework for internet applicati ii python-twisted-names 8.1.0-1 A DNS protocol implementation with client an ii python-twisted-web 8.1.0-1 An HTTP protocol implementation together wit ii python-twisted-web2 8.1.0-1 An HTTP/1.1 Server Framework
~# dpkg -l | grep python ii python 2.5.2-3 An interactive high-level object-oriented la ii python-application 1.1.5 Basic building blocks for Python application ii python-central 0.6.8 register and build utility for Python packag ii python-codespeak-lib 0.9.1-3 The pylib library containing py.test, greenl ii python-crypto 2.0.1+dfsg1-2.3+lenny0 cryptographic algorithms and protocols for P ii python-ctypes 1.0.2-6 Python package to create and manipulate C da ii python-dns 2.3.3-2 pydns - DNS client module for Python ii python-dnspython 1.6.0-1.1 DNS toolkit for Python ii python-docutils 0.5-2 Utilities for the documentation of Python mo ii python-elementtree 1.2.6-12 Light-weight toolkit for XML processing ii python-eventlet 0.8.10 Eventlet is a networking library written in ii python-formencode 1.0.1-1 validation and form generation Python packag ii python-fpconst 0.7.2-4 Utilities for handling IEEE 754 floating poi ii python-gnutls 1.1.8-1 Python wrapper for the GNUTLS library ii python-lxml 2.1.1-2.1 pythonic binding for the libxml2 and libxslt ii python-minimal 2.5.2-3 A minimal subset of the Python language (def ii python-msrplib 0.10.0 MSRP client library, implements RFC4975 and ii python-mysqldb 1.2.2-7 A Python interface to MySQL ii python-openssl 0.7-2 Python wrapper around the OpenSSL library ii python-pam 0.4.2-12 A Python interface to the PAM library ii python-pkg-resources 0.6c8-4 Package Discovery and Resource Access using ii python-pyopenssl 0.7-2 transitional dummy package ii python-roman 0.5-2 A module for generating/analyzing Roman nume ii python-serial 2.3-1 pyserial - module encapsulating access for t ii python-setuptools 0.6c8-4 Python Distutils Enhancements ii python-sipsimple 0.9.0 Python SIP SIMPLE framework ii python-soappy 0.12.0-4 SOAP Support for Python ii python-sqlobject 0.10.4 Python module for SQLObject ii python-support 1.0.3 automated rebuilding support for Python modu ii python-twisted-bin 8.1.0-4 Event-based framework for internet applicati ii python-twisted-conch 1:8.1.0-1 The Twisted SSH Implementation ii python-twisted-core 8.1.0-4 Event-based framework for internet applicati ii python-twisted-names 8.1.0-1 A DNS protocol implementation with client an ii python-twisted-web 8.1.0-1 An HTTP protocol implementation together wit ii python-twisted-web2 8.1.0-1 An HTTP/1.1 Server Framework ii python-xcaplib 1.0.9 Python library for managing XML documents on ii python-xml 0.8.4-10.1 XML tools for Python ii python-zopeinterface 3.3.1-7 The implementation of interface definitions ii python2.4 2.4.6-1 An interactive high-level object-oriented la ii python2.4-dev 2.4.6-1 Header files and a static library for Python ii python2.4-minimal 2.4.6-1 A minimal subset of the Python language (ver ii python2.5 2.5.2-15 An interactive high-level object-oriented la ii python2.5-minimal 2.5.2-15 A minimal subset of the Python language (ver }}}
thank you man.
It also occurs in trunk version.