Digest authentication problem about yellowstone HOT 19 CLOSED

lib/RTSPClient.ts:317 -> let match = WWW_AUTH_REGEX.exec(authHeader)

returns

nonce="MTU0ODQxODQ4NS45ODA3MjA6SSBhbSBSVFNQIFNFUlZFUg==",nonce,MTU0ODQxODQ4NS45ODA3MjA6SSBhbSBSVFNQIFNFUlZFUg==

from yellowstone.

Progress:
The regex work if realm="rtsp server" contains no spaces (realm="rtspserver")

from yellowstone.

Just adding in some extra info.
HikVision cameras also have a realm with a space in them and it caused the C# based SharpRTSP library to fail too (I'm one of the SharpRTSP authors so had to fix my own bug there).

If you can do a fix in a fork one of us can commit it.

from yellowstone.

Solved for my case:
Regex should be:

([a-z]+)=\"([^,]+)\"

Don't know if that breaks something else.

Also had to change the "while loop" that loops through variable "match" to:

let match = WWW_AUTH_REGEX.exec(authHeader)
while (match != null) {
    const prop = match[1];

    if (prop == "realm" && match[2]) {
        realm = match[2];
    }

    if (prop == "nonce" && match[2]) {
        nonce = match[2];
    }

    match = WWW_AUTH_REGEX.exec(authHeader);
}

from yellowstone.

The fix can be found here:
https://gitlab.oleaasbo.no/public-projects/nodejs/yellowstone

from yellowstone.

I think the RegEx needs to be
([a-zA-Z]+)="([^\"]*)"

The RFC says the part before the '=' can be any case.
So this allows for the match[1] to be 1 or more characters of mixed case.

Then it has to match an Equals
This it has to match a Quote

Then it can match zero or mode characters that are Not a Quote - > Match[2]
This allows for empty strings eg realm="" it.
It also allows for commas in the Quoted string eg real="rtsp server, the best in the world"

Then it has to match a Quote

Anyone care to test the Regex ?
([a-zA-Z]+)="([^\"]*)"

from yellowstone.

I tested it and it worked ok. But I would like to add:

([a-zA-Z]+)\s?=\s?"?([^,"]*)

Demo

However, it is not perfect because the RFC gives an example i did not manage to fully regex.
RFC Example

WWW-Authenticate: Digest
       realm="[email protected]",
       qop="auth, auth-int",
       algorithm=SHA-256,
       nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
       opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"

Specifically

qop="auth, auth-int",

from yellowstone.

@oleaasbo Thanks for testing and the are Regex that handles whitespace either side of the Equals

I thought I'd got a solution to handle qop="auth, auth-int" but it is not properly working.
I'd made this change
([a-zA-Z]+)\s*=\s*(\".*\"|[^,\s]+)

1. I changed the Whitespace \s? to \s* to allow it to pass over multiple spaces
2. The second Match now has two Alternatives.
   Alternative 1 is to match Quote, characters, Quote.
   Alternative 2 are characters that do not include whitespace or comma

From https://www.debuggex.com

But this fails when there are multiple items on one line (ie no Newlines)

So I need another go.

from yellowstone.

Hi

Fixed it with a Lazy .* when matching between the Quotes

([a-zA-Z]+)\s*=\s*(\".*?\"|[^,\s]+)

But just realised this now requires strings with the quotes back to Javascript.

So needs more work

from yellowstone.

Thanks for working more on this. I have expanded on your contribution:

([a-zA-Z]+)\s*=\s*"?((?<=").*?(?=")|.*?(?=\s*[a-zA-Z]+\s*\=)|.+[^=])

This will remove quotes. I also changed the way "no qoutes" get detected. You match with ", \s", but that would not work if "algorithm=SHA-256" (from the example above) is the last element in the header.
I also made sure that "no qoutes"-matches return all values if separated with "," (comma).

from yellowstone.

That's a clever RegEx.

I was thinking of a simpler RegEx and then some Javascript code.
I had gone back to
([a-zA-Z]+)\s*=\s*(".*?"|[^,\s]+)

and then was going to do the following (in pseudo code)
if (match[2] && match[2].startswith(Quote) && match[2].endswith(Quote) then
Trim the Quote from the start and the finish

I don't mind which way we go.

from yellowstone.

This regex will not work in all cases

([a-zA-Z]+)\s*=\s*(".*?"|[^,\s]+)

I might overcomplicate things now :)
Demo of what might happen but probably will not happen.

from yellowstone.

I would like to change one last time :)

([a-zA-Z]+)\s*=\s*"?((?<=").*?(?=")|.*?(?=,?\s*[a-zA-Z]+\s*\=)|.+[^=])

To remove "," (comma) from "algorithm=SHA-256, MD5," in the example above this comment.

from yellowstone.

I had a look at RFC 7616. It has examples where there are two different encryption algorithms in use at the same time. It does that with multiple Digest blocks, and does not try and put two algorithms into the same ``algorithm=xxx``` statement.

So I don't think we would need to cater for algorithm=SHA-256, MD5,

from yellowstone.

Yeah, I know :) But the thought that my RegEx theoretically could fail triggers my OCD..

from yellowstone.

Thank you for your contribution!

So the final RegEx to use is ([a-zA-Z]+)\s*=\s*"?((?<=").*?(?=")|.*?(?=,?\s*[a-zA-Z]+\s*\=)|.+[^=]) ?

from yellowstone.

Actually closing as it was committed by @RogerHardiman , thanks! Should we update the RegEx again or use the one committed?

from yellowstone.

I am using the last RegEx I shared in this issue report.
The Updated RegEX can be found here

from yellowstone.

I'd not committed the final RegEx

from yellowstone.