1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
use strict;
use warnings FATAL => 'all';
use Apache::Test;
use Apache::TestRequest;
use Apache::TestUtil qw(t_cmp t_write_file);
use File::Spec;
plan tests => 13, need need_lwp,
need_module('mod_auth_digest'),
need_min_apache_version('2.0.51');
my ($no_query_auth, $query_auth, $bad_query);
# write out the authentication file
my $file = File::Spec->catfile(Apache::Test::vars('serverroot'), 'realm1');
t_write_file($file, <DATA>);
my $url = '/digest/index.html';
my $query = 'try=til%7Ede';
{
my $response = GET $url;
ok t_cmp($response->code,
401,
'no user to authenticate');
}
{
# bad pass
my $response = GET $url,
username => 'user1', password => 'foo';
ok t_cmp($response->code,
401,
'user1:foo not found');
}
{
# authenticated
my $response = GET $url,
username => 'user1', password => 'password1';
ok t_cmp($response->code,
200,
'user1:password1 found');
# set up for later
$no_query_auth = $response->request->headers->authorization;
}
# now that we know normal digest auth works, play with the query string
{
# add a query string
my $response = GET "$url?$query",
username => 'user1', password => 'password1';
ok t_cmp($response->code,
200,
'user1:password1 with query string found');
# set up for later
$query_auth = $response->request->headers->authorization;
}
{
# do the auth header ourselves
my $response = GET "$url?$query", Authorization => $query_auth;
ok t_cmp($response->code,
200,
'manual Authorization header query string');
}
{
# remove the query string from the uri - bang!
(my $noquery = $query_auth) =~ s!$query!!;
my $response = GET "$url?$query",
Authorization => $noquery;
ok t_cmp($response->code,
400,
'manual Authorization with no query string in header');
}
{
# same with changing the query string in the header
($bad_query = $query_auth) =~ s!$query!something=else!;
my $response = GET "$url?$query",
Authorization => $bad_query;
ok t_cmp($response->code,
400,
'manual Authorization header with mismatched query string');
}
{
# another mismatch
my $response = GET $url,
Authorization => $query_auth;
ok t_cmp($response->code,
400,
'manual Authorization header with mismatched query string');
}
# finally, the MSIE tests
{
if (have_min_apache_version("2.5.0")) {
skip "'AuthDigestEnableQueryStringHack' has been removed in r1703305";
}
else
{
# fake current MSIE behavior - this should work as of 2.0.51
my $response = GET "$url?$query",
Authorization => $no_query_auth,
'X-Browser' => 'MSIE';
ok t_cmp($response->code,
200,
'manual Authorization with no query string in header + MSIE');
}
}
{
# pretend MSIE fixed itself
my $response = GET "$url?$query",
username => 'user1', password => 'password1',
'X-Browser' => 'MSIE';
ok t_cmp($response->code,
200,
'a compliant response coming from MSIE');
}
{
# this still bombs
my $response = GET "$url?$query",
Authorization => $bad_query,
'X-Browser' => 'MSIE';
ok t_cmp($response->code,
400,
'manual Authorization header with mismatched query string + MSIE');
}
{
# as does this
my $response = GET $url,
Authorization => $query_auth,
'X-Browser' => 'MSIE';
ok t_cmp($response->code,
400,
'manual Authorization header with mismatched query string + MSIE');
}
{
# no hack required
my $response = GET $url,
username => 'user1', password => 'password1',
'X-Browser' => 'MSIE';
ok t_cmp($response->code,
200,
'no query string + MSIE');
}
__DATA__
# user1/password1
user1:realm1:4b5df5ee44449d6b5fbf026a7756e6ee
|