On Wed, 2003-02-05 at 17:44, Sean Burford wrote:
> Hi,
>
> Digest Authentication in Squid 2.5 stable1 and Squid 2.5 Stable1
> 20030204 is broken. Using src/auth/digest/auth_digest.c, once a user
> has attempted a login further attempts succeed or fail based on the
> success of the first attempt. This is because the credentials_ok flag
> is not reset between attempts.
>
> The attached patch fixes this problem.
It cannot correctly fix the problem. Firstly every auth attempt requires
a correct HA1 and nonce to authenticate, the flag of 3 is used to
indicate failures, not successes.
Secondly, on overlapping requests, there is a race with your solution..
and the extant code.
What needs to be done is have the credentials_ok flag moved to the
request level, not the user level.
See the TODO around line 677.
Cheers,
Rob
-- GPG key available at: <http://users.bigpond.net.au/robertc/keys.txt>.
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:13 MST