[squid-users] Squid Digest ident bug ?

From: FredB <fredbmail_at_free.fr>
Date: Mon, 4 Nov 2013 17:21:15 +0100 (CET)

Hello,

I'm watching something strange with digest and squid

With an url like this http://www.hercules.com/thumb/phpThumb.php?q=95&w=110&h=110&src=D:\inetpub\www.hercules.com\fichier\h_photo\883\photo_file_eplugnano500.715.png&f=jpeg&bg=FFFFFF

Squid breaks the identification and loop to replay user/password

After many tests, this kinds of url are enough

http://test.xx/test.php?=d:\
http://test.xx/test.php?c\
http://test.xx/test.php=?c\
http://test.xx/testphp=?c\
And also
http://test.xx/testphp?test\
http://test.xx/testphp?test\test

But

http://test.xx/test.php?=c: -> no problem
http://test.xx/test.php=c:\ -> no problem
http://test.xx/testphp\test\test -> no problem

A link between ? - ? and \ -

Same problem with Firefox or IE

Each request my nonce change:

http://test.xx/testphp?test\test

Digest username=\"fb\", realm=\"TEST\", nonce=\"csZ3UvgEvgy1JyB8\", uri=\"/testphp?test\\test\", response=\"9d45408e10947be1e3b30687debdaf59\", qop=auth, nc=00000007, cnonce=\"7dd57eb66bea3863\"
Digest username=\"fb\", realm=\"TEST\", nonce=\"s8Z3UtjMpgybCDlF\", uri=\"/testphp?test\\test\", response=\"ba4e42e292a37e4608197c9eaa027e36\", qop=auth, nc=00000001, cnonce=\"e445e6971c14a053\"

Any help would be appreciated
Received on Mon Nov 04 2013 - 16:21:29 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 04 2013 - 12:00:08 MST