From 8804170ce3186bdd83b486959399ec7ac0f59d0f Mon Sep 17 00:00:00 2001 From: Stuart Douglas Date: Mon, 11 Dec 2017 10:51:51 +1100 Subject: [PATCH] UNDERTOW-1190 handle absolute URI in the digest mechanism --- .../impl/DigestAuthenticationMechanism.java | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java b/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java index e01724b44b..972a0cb0e4 100644 --- a/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java +++ b/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java @@ -239,10 +239,20 @@ private AuthenticationMechanismOutcome handleDigestHeader(HttpServerExchange exc requestURI = requestURI + "?" + exchange.getQueryString(); } if(!uri.equals(requestURI)) { - //just end the auth process - exchange.setStatusCode(StatusCodes.BAD_REQUEST); - exchange.endExchange(); - return AuthenticationMechanismOutcome.NOT_AUTHENTICATED; + //it is possible we were given an absolute URI + //we reconstruct the URI from the host header to make sure they match up + //I am not sure if this is overly strict, however I think it is better + //to be safe than sorry + requestURI = exchange.getRequestURL(); + if(!exchange.getQueryString().isEmpty()) { + requestURI = requestURI + "?" + exchange.getQueryString(); + } + if(!uri.equals(requestURI)) { + //just end the auth process + exchange.setStatusCode(StatusCodes.BAD_REQUEST); + exchange.endExchange(); + return AuthenticationMechanismOutcome.NOT_AUTHENTICATED; + } } } else { return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;