ruby-changes:50775
From: normal <ko1@a...>
Date: Wed, 28 Mar 2018 17:15:40 +0900 (JST)
Subject: [ruby-changes:50775] normal:r62965 (trunk): webrick/httpauth/digestauth: stream req.body
normal 2018-03-28 17:06:49 +0900 (Wed, 28 Mar 2018) New Revision: 62965 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=62965 Log: webrick/httpauth/digestauth: stream req.body WARNING! WARNING! WARNING! LIKELY BROKEN CHANGE Pass a proc to WEBrick::HTTPRequest#body to avoid reading a potentially large request body into memory during authentication. WARNING! this will break apps completely which want to do something with the body besides calculating the MD5 digest of it. Also, keep in mind that probably nobody uses "auth-int". Servers such as Apache, lighttpd, nginx don't seem to support it; nor does curl when using POST/PUT bodies; and we didn't have tests for it until now... * lib/webrick/httpauth/digestauth.rb (_authenticate): stream req.body Modified files: trunk/lib/webrick/httpauth/digestauth.rb Index: lib/webrick/httpauth/digestauth.rb =================================================================== --- lib/webrick/httpauth/digestauth.rb (revision 62964) +++ lib/webrick/httpauth/digestauth.rb (revision 62965) @@ -235,9 +235,11 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/lib/webrick/httpauth/digestauth.rb#L235 ha2 = hexdigest(req.request_method, auth_req['uri']) ha2_res = hexdigest("", auth_req['uri']) elsif auth_req['qop'] == "auth-int" - ha2 = hexdigest(req.request_method, auth_req['uri'], - hexdigest(req.body)) - ha2_res = hexdigest("", auth_req['uri'], hexdigest(res.body)) + body_digest = @h.new + req.body { |chunk| body_digest.update(chunk) } + body_digest = body_digest.hexdigest + ha2 = hexdigest(req.request_method, auth_req['uri'], body_digest) + ha2_res = hexdigest("", auth_req['uri'], body_digest) end if auth_req['qop'] == "auth" || auth_req['qop'] == "auth-int" -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/