#3453 defect new
twisted.web._auth.digest mostly ignores the value of the uri field
|Reported by:||exarkun||Owned by:||retenodus|
While this digest auth implementation does use the uri value to compute the correct challenge response (as it must), it does nothing to comply with the requirements in section 22.214.171.124 of RFC 2617, reproduced here:
The authenticating server must assure that the resource designated by the "uri" directive is the same as the resource specified in the Request-Line; if they are not, the server SHOULD return a 400 Bad Request error. (Since this may be a symptom of an attack, server implementers may want to consider logging such errors.) The purpose of duplicating information from the request URL in this field is to deal with the possibility that an intermediate proxy may alter the client's Request-Line. This altered (but presumably semantically equivalent) request would not result in the same digest as that calculated by the client.