digest: reject broken header with session protocol but without qop

author Evgeny Grin (Karlson2k) <k2k@narod.ru>

Thu, 30 Jun 2022 15:30:21 +0000 (18:30 +0300)

committer Daniel Stenberg <daniel@haxx.se>

Sun, 7 Aug 2022 12:39:57 +0000 (14:39 +0200)
author Evgeny Grin (Karlson2k) <k2k@narod.ru>
Thu, 30 Jun 2022 15:30:21 +0000 (18:30 +0300)
committer Daniel Stenberg <daniel@haxx.se>
Sun, 7 Aug 2022 12:39:57 +0000 (14:39 +0200)
diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c

index 9eac84098271d70b380a0672cde6f340ebf78101..afe83af1ad844a3c5d60b0bda3c0da20dfa0d35e 100644 (file)
--- a/lib/vauth/digest.c
+++ b/lib/vauth/digest.c
@@ -637,6 +637,10 @@ CURLcode Curl_auth_decode_digest_http_message(const char *chlg,
    if(!digest->nonce)
      return CURLE_BAD_CONTENT_ENCODING;
  
+  /* "<algo>-sess" protocol versions require "auth" or "auth-int" qop */
+  if(!digest->qop && (digest->algo & SESSION_ALGO))
+    return CURLE_BAD_CONTENT_ENCODING;
+
    return CURLE_OK;
  }
author	Evgeny Grin (Karlson2k) <k2k@narod.ru>
	Thu, 30 Jun 2022 15:30:21 +0000 (18:30 +0300)
committer	Daniel Stenberg <daniel@haxx.se>
	Sun, 7 Aug 2022 12:39:57 +0000 (14:39 +0200)