Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Changes to http-auth

From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 19 Dec 2011 08:02:05 +0100
On Mon, Dec 19, 2011 at 1:22 AM, David Fifield <david () bamsoftware com>wrote:


On Sat, Dec 17, 2011 at 10:46:15PM +0100, Patrik Karlsson wrote:

Hi all,

I've reworked the http-auth to handle multiple Authentication headers

being

returned from the server.


Didn't it work that way before? The http library should join
together multiple headers with a comma, and http.parse_www_authenticate
should know how to deal with that. Manually parsing answer.rawheader
seems wrong--http.parse_header does that already, including some tricky
cases.

I tested locally against a dummy server offering Basic and Digest and it
worked before your patch. What did you run into that caused you to have
to change it?

ncat -l 8080 --sh-exec 'cat auth.http' -k

David Fifield



Ok, I reverted my patch just now, but it doesn't work anymore for me, this
is what I get:
| Server returned status 401 but the WWW-Authenticate header could not be
parsed.
|_WWW-Authenticate: Negotiate, NTLM, Digest
qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v1e4e256b4afb7f89b4eb43b241bbecc019ac8910c0451d75eda21f0a01b277e4dd0ec235788fb373269ed29fa7da630b1",charset=utf-8,realm="
example.com", Basic realm="example.com"

It seems to fail in http.parse_www_authenticate as far as I can tell. I'll
see if I can look into it later.

Cheers,
Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: