39 lines
2.1 KiB
Diff
39 lines
2.1 KiB
Diff
From 8804170ce3186bdd83b486959399ec7ac0f59d0f Mon Sep 17 00:00:00 2001
|
|
From: Stuart Douglas <stuart.w.douglas@gmail.com>
|
|
Date: Mon, 11 Dec 2017 10:51:51 +1100
|
|
Subject: [PATCH] UNDERTOW-1190 handle absolute URI in the digest mechanism
|
|
|
|
---
|
|
.../impl/DigestAuthenticationMechanism.java | 18 ++++++++++++++----
|
|
1 file changed, 14 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java b/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java
|
|
index e01724b44b..972a0cb0e4 100644
|
|
--- a/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java
|
|
+++ b/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java
|
|
@@ -239,10 +239,20 @@ private AuthenticationMechanismOutcome handleDigestHeader(HttpServerExchange exc
|
|
requestURI = requestURI + "?" + exchange.getQueryString();
|
|
}
|
|
if(!uri.equals(requestURI)) {
|
|
- //just end the auth process
|
|
- exchange.setStatusCode(StatusCodes.BAD_REQUEST);
|
|
- exchange.endExchange();
|
|
- return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
|
|
+ //it is possible we were given an absolute URI
|
|
+ //we reconstruct the URI from the host header to make sure they match up
|
|
+ //I am not sure if this is overly strict, however I think it is better
|
|
+ //to be safe than sorry
|
|
+ requestURI = exchange.getRequestURL();
|
|
+ if(!exchange.getQueryString().isEmpty()) {
|
|
+ requestURI = requestURI + "?" + exchange.getQueryString();
|
|
+ }
|
|
+ if(!uri.equals(requestURI)) {
|
|
+ //just end the auth process
|
|
+ exchange.setStatusCode(StatusCodes.BAD_REQUEST);
|
|
+ exchange.endExchange();
|
|
+ return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
|
|
+ }
|
|
}
|
|
} else {
|
|
return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
|