[vlc-devel] [PATCH] http access: retain auth struct for the runtime of the module

Rémi Denis-Courmont remi at remlab.net
Sat Sep 15 15:04:43 CEST 2018


Le vendredi 14 septembre 2018, 20:08:43 EEST Felix Paul Kühne a écrit :
> The problem of 9bc4991e is that while Basic Authentication works just fine,
> Digest Authentication will fail as all Digest information is lost on the
> reconnections.

And that's completely irrelevant.

MD5 in HTTP Digest actually should be dropped properly to prevent downgrade 
attacks, just like it was already dropped in TLS. And it won't be missed since 
NTLM essentially took that "market segment" (even if NTLM is worse in some 
ways than Digest). Literally, I have seen HTTP Digest-MD5 used exactly once in 
twenty years on the Internet, and that's when I enabled in it in my Apache 
server for experimenting.

And then non-broken hash in HTTP Digest, while it has been specified, does not 
seem to be even supported by anybody, including VLC.


Meanwhile, this patch is an unauthorized revert and reintroduce a memory leak. 
Please undo.

-- 
Rémi Denis-Courmont




More information about the vlc-devel mailing list