Digest authentication does not work with uri containing escaped characters

[gbittoun]

I'm currently using NGINX with the digest authentication module. I've activated the autoindex on a folder and everything worked fine until I had a folder containing whitespace in its name. Everytime I tried to access it, the autentication failed.

I dumped the computed md5 in the error logs and compared it with the one sent by firefox, it was indeed different, but I figured out that the computed md5 was the one computed with the uri unescaped (eg "/test/abcd .txt" instead of "/test/abcd%20.txt").

I a currently trying to modify the nginx-http-auth-digest code to escape the url before computing hash, but I was wondering on how to properly do this. Moreover, there's maybe a way to configure NGINX and keeping raw uri when computing md5, so I won't have to modify your code, but I didn't find much informations on google.

If any of you can reproduce this bug and help find the best way to correct this, any answer will be appreciated.

Regards,

[Ynxorax]

Hi, i am meeting the problem too.
In the beginning, the method that i was planning to escape the uri was same to yours. However, i found that there are some different operations between uri and the others(username, realm and so on) in ngx_http_auth_digest_verfiy_hash. The function uses r->uri that has been escaped rather than fields->uri that has been unescaped, so i just comment the r-> uri and use the fields->uri to instead of it. And now, it's ok!

[erikdubbelboer]

I think this has been fixed in the latest version.