[vlc-devel] [PATCH] http access: retain auth struct for the runtime of the module
Rémi Denis-Courmont
remi at remlab.net
Sat Sep 15 15:04:43 CEST 2018
Le vendredi 14 septembre 2018, 20:08:43 EEST Felix Paul Kühne a écrit :
> The problem of 9bc4991e is that while Basic Authentication works just fine,
> Digest Authentication will fail as all Digest information is lost on the
> reconnections.
And that's completely irrelevant.
MD5 in HTTP Digest actually should be dropped properly to prevent downgrade
attacks, just like it was already dropped in TLS. And it won't be missed since
NTLM essentially took that "market segment" (even if NTLM is worse in some
ways than Digest). Literally, I have seen HTTP Digest-MD5 used exactly once in
twenty years on the Internet, and that's when I enabled in it in my Apache
server for experimenting.
And then non-broken hash in HTTP Digest, while it has been specified, does not
seem to be even supported by anybody, including VLC.
Meanwhile, this patch is an unauthorized revert and reintroduce a memory leak.
Please undo.
--
Rémi Denis-Courmont
More information about the vlc-devel
mailing list