ZF-10286: Zend_Auth_Adapater_Digest does not read entire file on blank lines

Issue Type:
Improvement
Created:
2010-08-09T17:39:09.000+0000
Last Updated:
2012-05-29T14:49:43.000+0000
Status:
Closed
Fix version(s):
    Reporter:
    Yanick Rochon (yanickrochon)
    Assignee:
    Adam Lundrigan (adamlundrigan)
    Tags:
    • Zend_Auth
    Related issues:
    Attachments:

    Description

    After a good 5 minutes of login failures during development using a digest authentification, I finally realized what was going on: my file has a blank line in it.

    Look at the source code, I noticed that, on line 214 (in the authenticate() method), the while block condition fails whenever a blank line is found in the digest file.

    Since this is not written in the docs, it should be added about this behavior. Or better yet, the condition should be modified to read the entire file regardless of empty lines. In the PHP manual (http://php.net/manual/en/function.fgets.php) the demo shows a similar while, but using feof($fileHandle) instead. Which gives more flexibility and ensures that the entire file is read before exiting the while block.

    For example :

     
// line 214
while (!@feof($fileHandle)) {
    $line = trim(fgets($fileHandle));
    if (!empty($line) && substr($line, 0, $idLength) === $id) {
        if (substr($line, -32) === md5("$this->_username:$this->_realm:$this->_password")) {
            $result['code'] = Zend_Auth_Result::SUCCESS;
        } else {
            $result['code'] = Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID;
            $result['messages'][] = 'Password incorrect';
        }
        return new Zend_Auth_Result($result['code'], $result['identity'], $result['messages']);
    }
}

    Comments

    Posted by Adam Lundrigan (adamlundrigan) on 2012-05-29T14:49:43.000+0000

    Patch w/ Test:

    

Index: tests/Zend/Auth/Adapter/Http/_files/htdigest.3
===================================================================
--- tests/Zend/Auth/Adapter/Http/_files/htdigest.3  (revision 24820)
+++ tests/Zend/Auth/Adapter/Http/_files/htdigest.3  (working copy)
@@ -1,2 +1,5 @@
 Bryce:Test Realm:d5b7c330d5685beb782a9e22f0f20579
 Mufasa:Test Realm:200dc292ecb68e04c95bb74ae2ce3c80
+
+
+EmptyLineTest:Test Realm:200dc292ecb68e04c95bb74ae2ce3c80
Index: tests/Zend/Auth/Adapter/Http/Resolver/FileTest.php
===================================================================
--- tests/Zend/Auth/Adapter/Http/Resolver/FileTest.php  (revision 24820)
+++ tests/Zend/Auth/Adapter/Http/Resolver/FileTest.php  (working copy)
@@ -235,6 +235,18 @@
     }
 
     /**
+     * @group ZF-10286
+     */
+    public function testResolveFileIgnoresEmptyLines()
+    {
+        $this->assertEquals(
+            $this->_resolver->resolve('EmptyLineTest', 'Test Realm'),
+            '200dc292ecb68e04c95bb74ae2ce3c80',
+            'Did not read entire file due to empty line'
+        );
+    }
+
+    /**
      * Ensures that resolve() works as expected when provided valid credentials
      *
      * @return void

    The above test passes without any modification to the existing {{Zend_Auth_Adapter_Http_Resolver_File}} class.