3 files changed, 12 insertions, 8 deletions

diff --git a/lib/webrick/httpauth/basicauth.rb b/lib/webrick/httpauth/basicauth.rb
index ca5b0e9da3..e835361dc2 100644
--- a/lib/webrick/httpauth/basicauth.rb
+++ b/lib/webrick/httpauth/basicauth.rb
@@ -34,7 +34,7 @@ module WEBrick
         unless basic_credentials = check_scheme(req)
           challenge(req, res)
         end
-        userid, password = decode64(basic_credentials).split(":", 2) 
+        userid, password = basic_credentials.unpack("m*")[0].split(":", 2) 
         password ||= ""
         if userid.empty?
           error("user id was not given.")
diff --git a/lib/webrick/httpauth/digestauth.rb b/lib/webrick/httpauth/digestauth.rb
index a5177459b7..318e0bf17f 100644
--- a/lib/webrick/httpauth/digestauth.rb
+++ b/lib/webrick/httpauth/digestauth.rb
@@ -174,11 +174,11 @@ module WEBrick
 
         if auth_req['qop'] == "auth" || auth_req['qop'] == nil
           ha2 = hexdigest(req.request_method, auth_req['uri'])
-          ha2_res = digest("", auth_req['uri'])
+          ha2_res = hexdigest("", auth_req['uri'])
         elsif auth_req['qop'] == "auth-int"
           ha2 = hexdigest(req.request_method, auth_req['uri'],
                           hexdigest(req.body))
-          ha2_res = digest("", auth_req['uri'], hexdigest(req.body))
+          ha2_res = hexdigest("", auth_req['uri'], hexdigest(res.body))
         end
 
         if auth_req['qop'] == "auth" || auth_req['qop'] == "auth-int"
@@ -330,10 +330,6 @@ module WEBrick
       def hexdigest(*args)
         @h.hexdigest(args.join(":"))
       end
-
-      def digest(*args)
-        @h.digest(args.join(":"))
-      end
     end
 
     class ProxyDigestAuth < DigestAuth
diff --git a/lib/webrick/httpauth/htpasswd.rb b/lib/webrick/httpauth/htpasswd.rb
index a4a80647d8..40f9297b05 100644
--- a/lib/webrick/httpauth/htpasswd.rb
+++ b/lib/webrick/httpauth/htpasswd.rb
@@ -32,7 +32,15 @@ module WEBrick
           open(@path){|io|
             while line = io.gets
               line.chomp!
-              user, pass = line.split(":")
+              case line
+              when %r!\A[^:]+:[a-zA-Z0-9./]{13}\z!
+                user, pass = line.split(":")
+              when /:\$/, /:\{SHA\}/
+                raise NotImplementedError,
+                      'MD5, SHA1 .htpasswd file not supported'
+              else
+                raise StandardError, 'bad .htpasswd file'
+              end
               @passwd[user] = pass
             end
           }