[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-janitors] Re: #401: authorization header parsing for digest aut
From: |
Chicken Trac |
Subject: |
[Chicken-janitors] Re: #401: authorization header parsing for digest authentication (intarweb) |
Date: |
Tue, 05 Oct 2010 18:26:42 -0000 |
#401: authorization header parsing for digest authentication (intarweb)
-------------------------+--------------------------------------------------
Reporter: daishi | Owner: sjamaan
Type: defect | Status: closed
Priority: critical | Milestone: 4.7.0
Component: extensions | Version: 4.6.x
Resolution: wontfix | Keywords: spiffy intarweb
-------------------------+--------------------------------------------------
Changes (by sjamaan):
* status: accepted => closed
* resolution: => wontfix
Comment:
You say its *purpose* is to authenticate, but its primary purpose is to
prevent session *replay attacks*. For that, you need to compare the nonce
count to earlier nonce count values, which is done numerically.
The fact that the nonce count is also put somewhere in the hash is to
prevent an attacker from spoofing the nonce count's value.
I stick with my initial point: it's fundamentally a number, and treating
it as a string in its native form is just wrong.
--
Ticket URL: <http://bugs.call-cc.org/ticket/401#comment:4>
Chicken Scheme <http://www.call-with-current-continuation.org/>
Chicken Scheme is a compiler for the Scheme programming language.