From a8896fa89c4f3436a9fa009764a9b1a824f44e79 Mon Sep 17 00:00:00 2001
From: deuce <>
Date: Thu, 31 Jan 2008 18:34:05 +0000
Subject: [PATCH] Use URI from request line if not specified in the
 authentication header. Validate cnonce and nc values for qop and ensure thy
 are not present for unspecified qops.

---
 src/sbbs3/websrvr.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/sbbs3/websrvr.c b/src/sbbs3/websrvr.c
index 39ab96a991..9e970a14ed 100644
--- a/src/sbbs3/websrvr.c
+++ b/src/sbbs3/websrvr.c
@@ -1531,6 +1531,20 @@ static BOOL check_ars(http_session_t * session)
 					return(FALSE);
 				if(session->req.auth.algorithm==ALGORITHM_UNKNOWN)
 					return(FALSE);
+				/* Validate rules from RFC-2617 */
+				if(session->req.auth.qop_value==QOP_AUTH
+						|| session->req.auth.qop_value==QOP_AUTH_INT) {
+					if(session->req.auth.cnonce==NULL)
+						return(FALSE);
+					if(session->req.auth.nonce_count==NULL)
+						return(FALSE);
+				}
+				else {
+					if(session->req.auth.cnonce!=NULL)
+						return(FALSE);
+					if(session->req.auth.nonce_count!=NULL)
+						return(FALSE);
+				}
 
 				/* H(A1) */
 				MD5_open(&ctx);
@@ -2234,6 +2248,8 @@ static BOOL parse_headers(http_session_t * session)
 								while(*p && !isspace(*p))
 									p++;
 							}
+							if(session->req.auth.digest_uri==NULL)
+								session->req.auth.digest_uri=strdup(session->req.request_line);
 						}
 					}
 					break;
-- 
GitLab