NAKAMURA, Hiroshi
2/5/2006 9:57:00 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Sorry I couldn't reply sooner.
yonatan_avraham@hotmail.com wrote:
> I fixed the problem of always sending the password in the clear by
> checking the HTTP and making sure that the server is indeed requesting
> basic realm. In class BasicAuth I added lines with +:
>
> def set(uri, user_id, passwd)
> uri = uri.clone
>
> + # Make sure that the server is really requesting Basic
> Authentication!
> + serverRealm = (@client.head(uri).header['WWW-Authenticate']).join
> + return nil if ("Basic realm".downcase !=
> serverRealm[0,11].downcase)
>
> uri.path = uri.path.sub(/\/[^\/]*$/, '/')
> @auth[uri] = ["#{user_id}:#{passwd}"].pack('m').strip
> @client.reset_all
> end
I think I understood the problem but the problem is in BasicAuth#get,
not in BasicAuth#set, right? http-access2 now sends password to a
defined realm even if WWW-Authenticate is missing.
I'll fix this. Thanks.
Regards,
// NaHi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
iD8DBQFD5curf6b33ts2dPkRAhqxAJ9D5uOyVOpDuLSj3h2csm4n+RKXWQCgjUsE
ynbn9wvGnjpZ4+jVC9GucmY=
=k6RG
-----END PGP SIGNATURE-----