Review Request: Allow empty username/password for Basic and Digest authentication

Michael Leupold lemma at confuego.org
Mon Sep 14 12:35:16 BST 2009


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
http://reviewboard.kde.org/r/1601/
-----------------------------------------------------------

Review request for kdelibs and maelcum.


Summary
-------

According to RFC 2617, Basic authentication allows an empty username and an empty password. From what I can tell Digest does too (but I'm not 100% sure).

This patch removes checking username.isEmpty() and password.isEmpty() from KAbstractHttpAuthentication::generateResponseCommon(). Subsequently I added this check to the remaining auth classes I'm unsure about (NTLM and Challenge). If empty username/password are allowed for those as well (especially the latter makes sense), it should be removed from there as well (lines marked with TODO). If anyone knows how those protocols work, feel free to comment.

Bug 206851 isn't fully fixed by this patch as we still have some kind of situation if generateResponse() returns without setting m_headerFragment - however I currently don't have time to fix that.


This addresses bug 206851.
    https://bugs.kde.org/show_bug.cgi?id=206851


Diffs
-----

  /trunk/KDE/kdelibs/kioslave/http/httpauthentication.cpp 1023254 

Diff: http://reviewboard.kde.org/r/1601/diff


Testing
-------

Tested with an Apache server with basic authentication:
- user with username and password
- user with username but without password
- user without username but with password
- user without username and without password

Tested with an Apache server with digest authentication:
- user with username and password
- user with username but without password
- user without username but with password
- user without username and without password


Thanks,

Michael





More information about the kde-core-devel mailing list