From 32e277acbf35de454befc1573aff1063a55403cf Mon Sep 17 00:00:00 2001 From: normal Date: Wed, 28 Mar 2018 08:06:49 +0000 Subject: [PATCH] webrick/httpauth/digestauth: stream req.body WARNING! WARNING! WARNING! LIKELY BROKEN CHANGE Pass a proc to WEBrick::HTTPRequest#body to avoid reading a potentially large request body into memory during authentication. WARNING! this will break apps completely which want to do something with the body besides calculating the MD5 digest of it. Also, keep in mind that probably nobody uses "auth-int". Servers such as Apache, lighttpd, nginx don't seem to support it; nor does curl when using POST/PUT bodies; and we didn't have tests for it until now... * lib/webrick/httpauth/digestauth.rb (_authenticate): stream req.body git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62965 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- lib/webrick/httpauth/digestauth.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/webrick/httpauth/digestauth.rb b/lib/webrick/httpauth/digestauth.rb index 375ec20154..94f849a02e 100644 --- a/lib/webrick/httpauth/digestauth.rb +++ b/lib/webrick/httpauth/digestauth.rb @@ -235,9 +235,11 @@ module WEBrick ha2 = hexdigest(req.request_method, auth_req['uri']) ha2_res = hexdigest("", auth_req['uri']) elsif auth_req['qop'] == "auth-int" - ha2 = hexdigest(req.request_method, auth_req['uri'], - hexdigest(req.body)) - ha2_res = hexdigest("", auth_req['uri'], hexdigest(res.body)) + body_digest = @h.new + req.body { |chunk| body_digest.update(chunk) } + body_digest = body_digest.hexdigest + ha2 = hexdigest(req.request_method, auth_req['uri'], body_digest) + ha2_res = hexdigest("", auth_req['uri'], body_digest) end if auth_req['qop'] == "auth" || auth_req['qop'] == "auth-int"