diff --git a/src/calibre/srv/auth.py b/src/calibre/srv/auth.py
index 85eb88f7a1..d1dec5f540 100644
--- a/src/calibre/srv/auth.py
+++ b/src/calibre/srv/auth.py
@@ -162,7 +162,7 @@ class DigestAuth(object):  # {{{
                 log.warn('Authorization URI mismatch: %s != %s from client: %s' % (
                     data.path, path, data.remote_addr))
             raise HTTPSimpleResponse(httplib.BAD_REQUEST, 'The uri in the Request Line and the Authorization header do not match')
-        return self.response is not None and path == data.path and self.request_digest(pw, data) == self.response
+        return self.response is not None and data.path == path and self.request_digest(pw, data) == self.response
 # }}}
 
 
diff --git a/src/calibre/srv/users.py b/src/calibre/srv/users.py
index d0659534cc..ff80c6fff6 100644
--- a/src/calibre/srv/users.py
+++ b/src/calibre/srv/users.py
@@ -80,7 +80,9 @@ class UserManager(object):
                     uv = next(c.execute('PRAGMA user_version'))[0]
                     if uv == 0:
                         # We have to store the unhashed password, since the digest
-                        # auth scheme requires it.
+                        # auth scheme requires it. (Technically, one can store
+                        # a MD5 hash of the username+realm+password, but it has to be
+                        # without salt so it is trivially brute-forceable, anyway)
                         # timestamp stores the ISO 8601 creation timestamp in UTC.
                         c.execute('''
                         CREATE TABLE users (