From 950c7bb174c283bf202626ee32ebc21fa501f757 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 8 Feb 2026 12:30:09 +0100
Subject: [PATCH] digest: escape double quotes and backslashes in realm and
 nonce

change test 907 to use quote in realm to verify

Fixes #20482
Reported-by: cooldadpresident on github
Closes #20545
---
 lib/vauth/digest.c | 22 ++++++++++++++++------
 tests/data/test907 |  6 +++---
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c
index f34db9b90f..ec82564d2c 100644
--- a/lib/vauth/digest.c
+++ b/lib/vauth/digest.c
@@ -354,6 +354,8 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data,
   char method[]     = "AUTHENTICATE";
   char qop[]        = DIGEST_QOP_VALUE_STRING_AUTH;
   char *spn         = NULL;
+  char *qrealm;
+  char *qnonce;
 
   /* Decode the challenge message */
   CURLcode result = auth_decode_digest_md5_message(chlg,
@@ -467,12 +469,20 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data,
   for(i = 0; i < MD5_DIGEST_LEN; i++)
     curl_msnprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]);
 
-  /* Generate the response */
-  response = curl_maprintf("username=\"%s\",realm=\"%s\",nonce=\"%s\","
-                           "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\","
-                           "response=%s,qop=%s",
-                           userp, realm, nonce,
-                           cnonce, nonceCount, spn, resp_hash_hex, qop);
+  /* escape double quotes and backslashes in the realm and nonce as
+     necessary */
+  qrealm = auth_digest_string_quoted(realm);
+  qnonce = auth_digest_string_quoted(nonce);
+  if(qrealm && qnonce)
+    /* Generate the response */
+    response = curl_maprintf("username=\"%s\",realm=\"%s\",nonce=\"%s\","
+                             "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\","
+                             "response=%s,qop=%s",
+                             userp, qrealm, qnonce,
+                             cnonce, nonceCount, spn, resp_hash_hex, qop);
+
+  curlx_free(qrealm);
+  curlx_free(qnonce);
   curlx_free(spn);
   if(!response)
     return CURLE_OUT_OF_MEMORY;
diff --git a/tests/data/test907 b/tests/data/test907
index a73afbe488..73e0bd21d1 100644
--- a/tests/data/test907
+++ b/tests/data/test907
@@ -14,8 +14,8 @@ RFC4954
 <reply>
 <servercmd>
 AUTH DIGEST-MD5
-REPLY AUTH 334 %b64[realm="curl",nonce="5300d17a1d695bd411e4cdf96f9548c23ced6175",algorithm=md5-sess,qop="auth"]b64%
-REPLY %b64[username="user",realm="curl",nonce="5300d17a1d695bd411e4cdf96f9548c23ced6175",cnonce="34333231353332313633323137333231",nc="00000001",digest-uri="smtp/127.0.0.1",response=a27c4395f3386743be12207b7d1121c5,qop=auth]b64% 334 %b64[rspauth=9ea859cb9d90c37ca30d49d35378630c]b64%
+REPLY AUTH 334 %b64[realm="cu\"rl",nonce="5300d17a1d695bd411e4cdf96f9548c23ced6175",algorithm=md5-sess,qop="auth"]b64%
+REPLY %b64[username="user",realm="cu\"rl",nonce="5300d17a1d695bd411e4cdf96f9548c23ced6175",cnonce="34333231353332313633323137333231",nc="00000001",digest-uri="smtp/127.0.0.1",response=b7290e673d2ad888c445c9b2c7698d66,qop=auth]b64% 334 %b64[rspauth=9ea859cb9d90c37ca30d49d35378630c]b64%
 REPLY  235 Authenticated
 </servercmd>
 </reply>
@@ -50,7 +50,7 @@ smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-fr
 <protocol crlf="yes">
 EHLO %TESTNUMBER
 AUTH DIGEST-MD5
-%b64[username="user",realm="curl",nonce="5300d17a1d695bd411e4cdf96f9548c23ced6175",cnonce="34333231353332313633323137333231",nc="00000001",digest-uri="smtp/127.0.0.1",response=a27c4395f3386743be12207b7d1121c5,qop=auth]b64%
+%b64[username="user",realm="cu\"rl",nonce="5300d17a1d695bd411e4cdf96f9548c23ced6175",cnonce="34333231353332313633323137333231",nc="00000001",digest-uri="smtp/127.0.0.1",response=b7290e673d2ad888c445c9b2c7698d66,qop=auth]b64%
 
 MAIL FROM:%LTsender@example.com%GT
 RCPT TO:%LTrecipient@example.com%GT