A better fix for the problem of the method not matching up with the digest auth.

4 files changed, 14 insertions, 22 deletions

diff --git a/daemon/digest.c b/daemon/digest.c
index 1c68366..ecde6b7 100644
--- a/daemon/digest.c
+++ b/daemon/digest.c
@@ -356,7 +356,7 @@ int digest_pre_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t
         return HA_BADREQ;
     }
 
-    if(!opts->digest_ignoreuri && strcmp(dg->client.uri, dg->server_uri) != 0)
+    if(!opts->digest_allowany && strcmp(dg->client.uri, dg->server_uri) != 0)
     {
         ha_uri_t d_uri;
         ha_uri_t s_uri;
@@ -489,7 +489,12 @@ int digest_complete_check(digest_context_t* dg, const ha_context_t* opts, ha_buf
 	const char** m;
 	int ret;
 
-	if(opts->digest_ignoremethod)
+	/* Use the method sent to us */
+	ret = internal_check (dg, dg->server_method, buf);
+	if(ret != HA_FALSE)
+		return ret;
+
+	if(opts->digest_allowany)
 	{
 		/* Try out each and every method in HTTP */
 		for(m = g_http_methods; *m; ++m)
@@ -499,11 +504,6 @@ int digest_complete_check(digest_context_t* dg, const ha_context_t* opts, ha_buf
 				break;
 		}
 	}
-	else
-	{
-		/* Use the method sent to us */
-		ret = internal_check (dg, dg->server_method, buf);
-	}
 
 	return ret;
 }
diff --git a/daemon/httpauthd.c b/daemon/httpauthd.c
index b77abcb..44156eb 100644
--- a/daemon/httpauthd.c
+++ b/daemon/httpauthd.c
@@ -1500,7 +1500,8 @@ static int config_parse(const char* file, ha_buffer_t* buf)
                 if(ha_confbool(name, value, &v) < 0)
                     exit(1); /* Message already printed */
 
-                opts->digest_ignoreuri = v;
+    			ha_messagex(NULL, LOG_WARNING, "DigestIgnoreURI is deprecated, use DigestAllowAnyPath");
+                opts->digest_allowany = v;
                 recog = 1;
             }
 
@@ -1514,13 +1515,13 @@ static int config_parse(const char* file, ha_buffer_t* buf)
                 recog = 1;
             }
 
-            else if(strcmp(name, "digestignoremethod") == 0)
+            else if(strcmp(name, "digestallowanypath") == 0)
             {
             	int v;
             	if(ha_confbool(name, value, &v) < 0)
             		exit(1); /* Message already printed */
 
-            	opts->digest_ignoremethod = v;
+            	opts->digest_allowany = v;
             	recog = 1;
             }
 
diff --git a/daemon/httpauthd.h b/daemon/httpauthd.h
index 36c8449..1540138 100644
--- a/daemon/httpauthd.h
+++ b/daemon/httpauthd.h
@@ -118,8 +118,7 @@ typedef struct ha_context
     const char* realm;
 
     /* For digest auth: */
-    unsigned int digest_ignoremethod : 1;
-    unsigned int digest_ignoreuri : 1;
+    unsigned int digest_allowany : 1;
     unsigned int digest_ignorenc : 1;
     const char* digest_debugnonce;
 }
diff --git a/doc/httpauthd.conf.5 b/doc/httpauthd.conf.5
index bae1d2d..7bca8b6 100644
--- a/doc/httpauthd.conf.5
+++ b/doc/httpauthd.conf.5
@@ -148,14 +148,6 @@ How this exactly works depends on the method it applies to.
 [ Default:
 .Em 900
 ]
-.It Cd DigestIgnoreMethod
-When set to 
-.Em True
-allows the HTTP method value in 
-.Em Digest
-authentication to be mismatched with the actual request. This opens 
-up a variety of replay attacks, but is useful for pass-through 
-authentication (eg: a website using a SOAP service).
 .It Cd DigestIgnoreNC
 When set to 
 .Em True
@@ -166,10 +158,10 @@ authentication to be incorrect. This opens up various replay attacks.
 [ Default:
 .Em False
 ]
-.It Cd DigestIgnoreURI
+.It Cd DigestAllowAnyPath
 When set to 
 .Em True
-allows the URI value in
+allows the URI value or HTTP method in
 .Em Digest
 authentication to be mismatched with the URI requested. This opens up 
 a variety of replay attacks, but is useful for pass-through