Here qop is set to qop="auth, auth-int". Because the previous parser split the entire list by comma to obtain the key value pairs this gets separated into qop="auth and auth-int", which eventually failes to parse.
The new parser goes over the challenge rune by rune and does not split when inside a quotation.
Also some servers will respond with qop="auth,auth-int" (no space after the comma). Hence also adjust validateQop to handle this.
This re-implements parsing the digest challenge to fix authentication against servers returning multiple values for
qop
.Take this example from https://httpwg.org/specs/rfc7616.html:
Here qop is set to
qop="auth, auth-int"
. Because the previous parser split the entire list by comma to obtain the key value pairs this gets separated intoqop="auth
andauth-int"
, which eventually failes to parse.The new parser goes over the challenge rune by rune and does not split when inside a quotation.
Also some servers will respond with
qop="auth,auth-int"
(no space after the comma). Hence also adjustvalidateQop
to handle this.