segfault in http kioslave

Best, Jan-Pascal van j.p.vanbest at tbm.tudelft.nl
Tue Sep 17 08:08:31 BST 2002 

Hi all,

I'm leaving on holiday soon so I turned off email delivery from lists.
Hope this won't break the thread.

> BTW, how did you register the password
> before hand ?  If it was done through the interface 
> this should not have happened.

I registered like this:

  	KIO::AuthInfo info;
	info.url = baseURL();
	info.username = mAccount;
	info.password = mPassword;
	info.realmValue = mHost;

	DCOPClient *dcopClient = new DCOPClient();
	dcopClient->attach();

	QByteArray params;
	QDataStream stream(params, IO_WriteOnly);
	stream << info << windowId;

	dcopClient->send( "kded", "kpasswdserver",
"addAuthInfo(KIO::AuthInfo, long int)", params );
	dcopClient->detach();
	delete dcopClient;

Adding an extra
	info.digestInfo = "Basic";
served as a workaround.

> Does it help if you change 2189 to:
>       if ( checkCachedAuthentication( info ) &&
!info.digestInfo.isEmpty())

Haven't tried this, but since setting info.digestInfo helped I'm sure
this patch
would have worked, too.


Hmm... Actually, checkCachedAuthentication should return false if
info.digestInfo
is empty at least that was the way it was IIRC.  Anyways, here is a
better patch
to fix both yours and Jean's issue.  Default to Basic and make case
insensitive
comparison:

Dawit's patch:

Index: http/http.cc
===================================================================
RCS file: /home/kde/kdelibs/kioslave/http/http.cc,v
retrieving revision 1.538
diff -u -p -b -B -w -r1.538 http.cc
--- http/http.cc        2002/09/11 13:47:19     1.538
+++ http/http.cc        2002/09/17 05:25:35
@@ -2186,7 +2186,11 @@ bool HTTPProtocol::httpOpen()
         info.username = m_request.user;
       if ( checkCachedAuthentication( info ) )
       {
-        Authentication = info.digestInfo.startsWith("Basic") ?
AUTH_Basic : AUTH_Digest ;
+        if (info.digestInfo.find("digest", 0, false) == 0)
+          Authentication = AUTH_Digest;
+        else
+          Authentication = AUTH_Basic;
+
         m_state.user   = info.username;
         m_state.passwd = info.password;
         m_strRealm = info.realmValue;

seems to default to using Basic authentication, which may in a 
security-conscious environment not be what you want. It basically 
blows account/password over the network in near cleartext even 
when the http server always asks for Digest. But if this is 
what's required (MUST) in an RFC, who am I to gripe?

Jan-Pascal

-- 
Jan-Pascal van Best
Delft University of Technology
http://www.tbm.tudelft.nl/webstaf/janb/index.htm

More information about the kfm-devel mailing list