diff options
| author | normal <normal@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-03-28 08:06:49 +0000 |
|---|---|---|
| committer | normal <normal@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-03-28 08:06:49 +0000 |
| commit | 32e277acbf35de454befc1573aff1063a55403cf (patch) | |
| tree | 2894fd939659e6fc93fc574c0bc52b33c768fedc | |
| parent | df2ce3434f07842ec1b7a6c2137b51b2ef20472c (diff) | |
webrick/httpauth/digestauth: stream req.body
WARNING! WARNING! WARNING! LIKELY BROKEN CHANGE
Pass a proc to WEBrick::HTTPRequest#body to avoid reading a
potentially large request body into memory during
authentication.
WARNING! this will break apps completely which want to do
something with the body besides calculating the MD5 digest
of it.
Also, keep in mind that probably nobody uses "auth-int".
Servers such as Apache, lighttpd, nginx don't seem to
support it; nor does curl when using POST/PUT bodies;
and we didn't have tests for it until now...
* lib/webrick/httpauth/digestauth.rb (_authenticate): stream req.body
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62965 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| -rw-r--r-- | lib/webrick/httpauth/digestauth.rb | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/lib/webrick/httpauth/digestauth.rb b/lib/webrick/httpauth/digestauth.rb index 375ec20154..94f849a02e 100644 --- a/lib/webrick/httpauth/digestauth.rb +++ b/lib/webrick/httpauth/digestauth.rb @@ -235,9 +235,11 @@ module WEBrick ha2 = hexdigest(req.request_method, auth_req['uri']) ha2_res = hexdigest("", auth_req['uri']) elsif auth_req['qop'] == "auth-int" - ha2 = hexdigest(req.request_method, auth_req['uri'], - hexdigest(req.body)) - ha2_res = hexdigest("", auth_req['uri'], hexdigest(res.body)) + body_digest = @h.new + req.body { |chunk| body_digest.update(chunk) } + body_digest = body_digest.hexdigest + ha2 = hexdigest(req.request_method, auth_req['uri'], body_digest) + ha2_res = hexdigest("", auth_req['uri'], body_digest) end if auth_req['qop'] == "auth" || auth_req['qop'] == "auth-int" |