...

2025-07-09 03:04:10 -04:00 · 2017-06-26 22:15:55 +05:30 · 2017-06-26 22:15:55 +05:30 · edd4ecd74f
commit edd4ecd74f
parent c3b3e3a7ae
2 changed files with 4 additions and 2 deletions
--- a/src/calibre/srv/auth.py
+++ b/src/calibre/srv/auth.py
@ -162,7 +162,7 @@ class DigestAuth(object):  # {{{
                log.warn('Authorization URI mismatch: %s != %s from client: %s' % (
                    data.path, path, data.remote_addr))
            raise HTTPSimpleResponse(httplib.BAD_REQUEST, 'The uri in the Request Line and the Authorization header do not match')
-        return self.response is not None and path == data.path and self.request_digest(pw, data) == self.response
+        return self.response is not None and data.path == path and self.request_digest(pw, data) == self.response
 # }}}


--- a/src/calibre/srv/users.py
+++ b/src/calibre/srv/users.py
@ -80,7 +80,9 @@ class UserManager(object):
                    uv = next(c.execute('PRAGMA user_version'))[0]
                    if uv == 0:
                        # We have to store the unhashed password, since the digest
-                        # auth scheme requires it.
+                        # auth scheme requires it. (Technically, one can store
+                        # a MD5 hash of the username+realm+password, but it has to be
+                        # without salt so it is trivially brute-forceable, anyway)
                        # timestamp stores the ISO 8601 creation timestamp in UTC.
                        c.execute('''
                        CREATE TABLE users (