Cyberduck Mountain Duck CLI

#7348 closed defect (fixed)

No Option to Specify HTTP Digest Authentication

Reported by: thornton prime Owned by: dkocher
Priority: normal Milestone: 4.4
Component: webdav Version: 4.3.1
Severity: normal Keywords:
Cc: Architecture:
Platform:

Description

CyberDuck always tries a HTTP/Authenticate with Basic with WebDAV first, even if the connection is not protected with SSL or TLS.

WebDAV RFC 4918 (sect 20.1) states "Basic authentication MUST NOT be used to authenticate a WebDAV client to a server unless the connection is secure."

Attachments (3)

Cyberduck 7348 a.png (899.8 KB) - added by thornton prime on Aug 21, 2013 at 5:40:33 PM.
7348a
Cyberduck 7348 b.png (33.2 KB) - added by thornton prime on Aug 21, 2013 at 5:40:47 PM.
7348b
CyberDuck 7348 c.png (449.4 KB) - added by thornton prime on Aug 22, 2013 at 4:56:38 PM.
7348 c

Download all attachments as: .zip

Change History (13)

comment:1 Changed on Jul 16, 2013 at 8:19:21 AM by dkocher

  • Component changed from core to webdav
  • Milestone set to 4.4
  • Owner set to dkocher
  • Status changed from new to assigned

comment:2 Changed on Jul 16, 2013 at 8:58:14 AM by dkocher

  • Resolution set to fixed
  • Status changed from assigned to closed

You can disable preemptive authentication as of r11994 with defaults write ch.sudo.cyberduck webdav.basic.preemptive false. Display unsecure connection alert if property is enabled and connection is not TLS.

comment:3 Changed on Aug 21, 2013 at 5:40:03 PM by thornton prime

Pre-emptively sending credentials amounts to a security disclosure. You are sending credentials that can easily be converted to plain text.

Also, I still can't get it to work with r12552, even with webdav.basic.preemptive set to false.

See attached in r12552 it warns me the connect is unsecured, even though I'm using SSL 7348a

and it still tries to use basic authentication, even when I have pre-emptive basic authentication disabled7348b

Last edited on Aug 21, 2013 at 9:02:13 PM by dkocher (previous) (diff)

Changed on Aug 21, 2013 at 5:40:33 PM by thornton prime

7348a

Changed on Aug 21, 2013 at 5:40:47 PM by thornton prime

7348b

comment:4 Changed on Aug 21, 2013 at 6:14:40 PM by thornton prime

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:5 Changed on Aug 21, 2013 at 9:11:08 PM by dkocher

  • Status changed from reopened to new

comment:6 Changed on Aug 21, 2013 at 9:24:47 PM by dkocher

Added tests and unsecure warning fixed in r12556. Can you please post the transcript from the log drawer (⌘-L) running this revision.

comment:7 Changed on Aug 22, 2013 at 4:54:18 PM by thornton prime

Same error.

It looks like it is ignoring my ch.sudo.cyberduck webdav.basic.preemptive setting.

Here is the log:

HEAD /namespace/tprime/ HTTP/1.1
Host: prod.lattusdemo.com
Connection: Keep-Alive
User-Agent: Cyberduck/4.4 (Mac OS X/10.7.5) (x86_64)
Authorization: Basic dHByaW1lOjIyNjRJUQ==
HTTP/1.1 400 invalid digest keyword
DAV: 1,3
Date: Thu, 22 Aug 2013 16:48:58 GMT
Server: Quantum-Lattus/3.1.3-280be6a0cc162ad50c8abf484bfbcddd737fa6fc

Changed on Aug 22, 2013 at 4:56:38 PM by thornton prime

7348 c

comment:8 Changed on Aug 22, 2013 at 4:57:14 PM by thornton prime

Another sceenshot if it helps:

7348 c

Last edited on Aug 22, 2013 at 5:46:39 PM by dkocher (previous) (diff)

comment:9 Changed on Aug 22, 2013 at 8:14:28 PM by dkocher

I suppose the problem is that you have installed Cyberduck from the Mac App Store as well and there are user defaults for the sandboxed version of Cyberduck in ~/Library/Containers/ch.sudo.cyberduck/Data/Library/Preferences/ch.sudo.cyberduck. If this exists, the defaults command writes changes to this configuration only.

As a workaround you can remove the application data in ~/Library/Containers/ch.sudo.cyberduck. I have not found how to force defaults to write changes to application preferences in ~/Library/Preferences.

comment:10 Changed on Aug 22, 2013 at 8:41:59 PM by dkocher

  • Resolution set to fixed
  • Status changed from new to closed

Added fallback handling for 400 error response after preemptive authentication in r12565.

Note: See TracTickets for help on using tickets.
swiss made software