Issues

ZF-3092: The code allows "downgrade" of the authorization schemes.

Description

Zend/Auth/Adapter/Http.php

A check is missing if the suggested from the client authentication scheme is one of the schemes that the server accepts. The current code allows the client to "downgrade" the authentication to Basic scheme, even though you may explicitly allowed only Digest scheme (via $config['accept_schemes']).

Line: 393


if (!in_array($clientScheme, $this->_supportedSchemes)) {
    $this->_response->setHttpResponseCode(400);
    return new Zend_Auth_Result(
        Zend_Auth_Result::FAILURE_UNCATEGORIZED,
        array(),
        array('Client requested an unsupported authentication scheme')
    );
}

Should be:


if (!in_array($clientScheme, $this->_supportedSchemes)) {
    $this->_response->setHttpResponseCode(400);
    return new Zend_Auth_Result(
        Zend_Auth_Result::FAILURE_UNCATEGORIZED,
        array(),
        array('Client requested an unsupported authentication scheme')
    );
}

if (!in_array($clientScheme, $this->_acceptSchemes)) {
    // challenge again the client
    return $this->_challengeClient();
}

Comments

Please evaluate and categorize as necessary.

Resolved in trunk at r9403 A Zend_Auth_Result is returned with a Zend_Auth_Result::FAILURE_UNCATEGORIZED code.

Wrong implementation, yours (Slavey Karadzhov) is the right one, see r9404 , sorry