Review Request: Allow empty username/password for Basic and Digest authentication

ahartmetz at gmail.com ahartmetz at gmail.com
Mon Sep 28 21:15:09 BST 2009


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
http://reviewboard.kde.org/r/1601/#review2490
-----------------------------------------------------------


First off, sorry for being slow to respond, I've been somewhat busy and will be for another two weeks or so.
In Negotiate auth, please check if m_needCredentials can ever be set. it probably can't because Negotiate / Kerberos auth has other means (GSSAPI) to get the credentials, it doesn't use the KDE password system. So the check for empty credetials could be removed there.
The rest looks fine.

- maelcum


On 2009-09-14 11:35:16, Michael Leupold wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> http://reviewboard.kde.org/r/1601/
> -----------------------------------------------------------
> 
> (Updated 2009-09-14 11:35:16)
> 
> 
> Review request for kdelibs and maelcum.
> 
> 
> Summary
> -------
> 
> According to RFC 2617, Basic authentication allows an empty username and an empty password. From what I can tell Digest does too (but I'm not 100% sure).
> 
> This patch removes checking username.isEmpty() and password.isEmpty() from KAbstractHttpAuthentication::generateResponseCommon(). Subsequently I added this check to the remaining auth classes I'm unsure about (NTLM and Challenge). If empty username/password are allowed for those as well (especially the latter makes sense), it should be removed from there as well (lines marked with TODO). If anyone knows how those protocols work, feel free to comment.
> 
> Bug 206851 isn't fully fixed by this patch as we still have some kind of situation if generateResponse() returns without setting m_headerFragment - however I currently don't have time to fix that.
> 
> 
> This addresses bug 206851.
>     https://bugs.kde.org/show_bug.cgi?id=206851
> 
> 
> Diffs
> -----
> 
>   /trunk/KDE/kdelibs/kioslave/http/httpauthentication.cpp 1023254 
> 
> Diff: http://reviewboard.kde.org/r/1601/diff
> 
> 
> Testing
> -------
> 
> Tested with an Apache server with basic authentication:
> - user with username and password
> - user with username but without password
> - user without username but with password
> - user without username and without password
> 
> Tested with an Apache server with digest authentication:
> - user with username and password
> - user with username but without password
> - user without username but with password
> - user without username and without password
> 
> 
> Thanks,
> 
> Michael
> 
>





More information about the kde-core-devel mailing list