5 files changed, 315 insertions, 113 deletions
diff --git a/lisp/filenotify.el b/lisp/filenotify.el
index dbf19cf2f20..8bbe348f332 100644
--- a/lisp/filenotify.el
+++ b/lisp/filenotify.el
@@ -422,7 +422,7 @@ DESCRIPTOR should be an object returned by `file-notify-add-watch'."
 ;;   (This may be the desired behaviour.)
 ;; * Watching a file in a already watched directory
 ;;   If the file is created and *then* a watch is added to that file, the
-;;   watch might receive events which occured prior to it being created,
+;;   watch might receive events which occurred prior to it being created,
 ;;   due to the way events are propagated during idle time.  Note: This
 ;;   may be perfectly acceptable.
diff --git a/lisp/progmodes/js.el b/lisp/progmodes/js.el
index aed42a85076..3c720c05610 100644
--- a/lisp/progmodes/js.el
+++ b/lisp/progmodes/js.el
@@ -1713,7 +1713,7 @@ This performs fontification according to `js--class-styles'."
              (not (any ?\] ?\\))
              (and "\\" not-newline)))
         "]")))
-   (group "/"))
+   (group (zero-or-one "/")))
  "Regular expression matching a JavaScript regexp literal.")
 (defun js-syntax-propertize-regexp (end)
@@ -1721,12 +1721,13 @@ This performs fontification according to `js--class-styles'."
    (when (eq (nth 3 ppss) ?/)
      ;; A /.../ regexp.
      (goto-char (nth 8 ppss))
-      (when (and (looking-at js--syntax-propertize-regexp-regexp)
+      (when (looking-at js--syntax-propertize-regexp-regexp)
-                 ;; Don't touch text after END.
+        ;; Don't touch text after END.
-                 (<= (match-end 1) end))
+        (when (> end (match-end 1))
-        (put-text-property (match-beginning 1) (match-end 1)
+          (setq end (match-end 1)))
+        (put-text-property (match-beginning 1) end
                           'syntax-table (string-to-syntax "\"/"))
-        (goto-char (match-end 0))))))
+        (goto-char end)))))
 (defun js-syntax-propertize (start end)
  ;; JavaScript allows immediate regular expression objects, written /.../.
diff --git a/lisp/progmodes/perl-mode.el b/lisp/progmodes/perl-mode.el
index a516f07e72f..b75f32ee200 100644
--- a/lisp/progmodes/perl-mode.el
+++ b/lisp/progmodes/perl-mode.el
@@ -255,9 +255,11 @@
      ;; format statements
      ("^[ \t]*format.*=[ \t]*\\(\n\\)"
       (1 (prog1 "\"" (perl-syntax-propertize-special-constructs end))))
-      ;; Funny things in `sub' arg-specs like `sub myfun ($)' or `sub ($)'.
+      ;; Propertize perl prototype chars `$%&*;+@\[]' as punctuation
-      ;; Be careful not to match "sub { (...) ... }".
+      ;; in `sub' arg-specs like `sub myfun ($)' and `sub ($)'.  But
-      ("\\<sub\\(?:[\s\t\n]+\\(?:\\sw\\|\\s_\\)+\\)?[\s\t\n]*(\\([^)]+\\))"
+      ;; don't match subroutine signatures like `sub add ($a, $b)', or
+      ;; anonymous subs like "sub { (...) ... }".
+      ("\\<sub\\(?:[\s\t\n]+\\(?:\\sw\\|\\s_\\)+\\)?[\s\t\n]*(\\([][$%&*;+@\\]+\\))"
       (1 "."))
      ;; Turn __DATA__ trailer into a comment.
      ("^\\(_\\)_\\(?:DATA\\|END\\)__[ \t]*\\(?:\\(\n\\)#.-\\*-.*perl.*-\\*-\\|\n.*\\)"
diff --git a/lisp/ses.el b/lisp/ses.el
index 50507132346..66fc0c5ebdf 100644
--- a/lisp/ses.el
+++ b/lisp/ses.el
@@ -2276,7 +2276,7 @@ print area if NONARROW is nil."
  "Recalculate and reprint the current cell or range.
 If SES--CURCELL is non nil use it as current cell or range
-without any check, otherwise fnuction (ses-check-curcell 'range)
+without any check, otherwise function (ses-check-curcell 'range)
 is called.
 For an individual cell, shows the error if the formula or printer
diff --git a/lisp/url/url-auth.el b/lisp/url/url-auth.el
index 7b6cdd53790..2885d4e12e2 100644
--- a/lisp/url/url-auth.el
+++ b/lisp/url/url-auth.el
@@ -131,8 +131,8 @@ instead of the filename inheritance method."
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;; Digest authorization code
 ;;; ------------------------
-;;; This implements the DIGEST authorization type.  See the internet draft
+;;; This implements the DIGEST authorization type.  See RFC 2617
-;;; ftp://ds.internic.net/internet-drafts/draft-ietf-http-digest-aa-01.txt
+;;; https://www.ietf.org/rfc/rfc2617.txt
 ;;; for the complete documentation on this type.
 ;;;
 ;;; This is very secure
@@ -143,107 +143,306 @@ Its value is an assoc list of assoc lists.  The first assoc list is
 keyed by the server name.  The cdr of this is an assoc list based
 on the \"directory\" specified by the url we are looking up.")
+(defsubst url-digest-auth-colonjoin (&rest args)
+  "Concatenate ARGS as strings with colon as a separator."
+  (mapconcat 'identity args ":"))
+(defsubst url-digest-auth-kd (data secret)
+  "Apply digest algorithm to DATA using SECRET and return the result."
+  (md5 (url-digest-auth-colonjoin secret data)))
+(defsubst url-digest-auth-make-ha1 (user realm password)
+  "Compute checksum out of strings USER, REALM, and PASSWORD."
+  (md5 (url-digest-auth-colonjoin user realm password)))
+(defsubst url-digest-auth-make-ha2 (method digest-uri)
+  "Compute checksum out of strings METHOD and DIGEST-URI."
+  (md5 (url-digest-auth-colonjoin method digest-uri)))
+(defsubst url-digest-auth-make-request-digest (ha1 ha2 nonce)
+  "Construct the request-digest from hash strings HA1, HA2, and NONCE.
+This is the value that server receives as a proof that user knows
+a password."
+  (url-digest-auth-kd (url-digest-auth-colonjoin nonce ha2) ha1))
+(defsubst url-digest-auth-make-request-digest-qop (qop ha1 ha2 nonce nc cnonce)
+  "Construct the request-digest with qop.
+QOP describes the \"quality of protection\" and algorithm to use.
+All of the strings QOP, HA1, HA2, NONCE, NC, and CNONCE are
+combined into a single hash value that proves to a server the
+user knows a password.  It's worth noting that HA2 already
+depends on value of QOP."
+  (url-digest-auth-kd (url-digest-auth-colonjoin
+                       nonce nc cnonce qop ha2) ha1))
+(defsubst url-digest-auth-directory-id (url realm)
+  "Make an identifier for selecting a key in key cache.
+The identifier is made either from URL or REALM.  It represents a
+protection space within a server so that one server can have
+multiple authorizations."
+  (or realm (or (url-file-directory (url-filename url)) "/")))
+(defsubst url-digest-auth-server-id (url)
+  "Make an identifier for selecting a server in key cache.
+The identifier is made from URL's host and port.  Together with
+`url-digest-auth-directory-id' these identify a single key in the
+key cache `url-digest-auth-storage'."
+  (format "%s:%d" (url-host url) (url-port url)))
+(defun url-digest-auth-make-cnonce ()
+  "Compute a new unique client nonce value."
+  (base64-encode-string
+   (apply 'format "%016x%04x%04x%05x%05x" (random) (current-time)) t))
+(defun url-digest-auth-nonce-count (nonce)
+  "The number requests sent to server with the given NONCE.
+This count includes the request we're preparing here.
+Currently, this is not implemented and will always return 1.
+Value returned is in string format with leading zeroes, such as
+\"00000001\"."
+  (format "%08x" 1))
+(defun url-digest-auth-name-value-string (pairs)
+  "Concatenate name-value pairs in association list PAIRS.
+Output is formatted as \"name1=\\\"value1\\\", name2=\\\"value2\\\", ...\""
+  (mapconcat (lambda (pair)
+               (format "%s=\"%s\""
+                       (symbol-name (car pair))
+                       (cdr pair)))
+             pairs ", "))
+(defun url-digest-auth-source-creds (url)
+  "Find credentials for URL object from the Emacs auth-source.
+Return value is a plist that has `:user' and `:secret' properties
+if credentials were found.  Otherwise nil."
+  (let ((server (url-digest-auth-server-id url))
+        (type (url-type url)))
+    (list :user (url-do-auth-source-search server type :user)
+          :secret (url-do-auth-source-search server type :secret))))
+(defun url-digest-prompt-creds (url realm &optional creds)
+  "Prompt credentials for URL and REALM, defaulting to CREDS.
+CREDS is a plist that may have properties `:user' and `:secret'."
+  ;; Set explicitly in case creds were nil.  This makes the second
+  ;; plist-put modify the same plist.
+  (setq creds
+        (plist-put creds :user
+                   (read-string (url-auth-user-prompt url realm)
+                                (or (plist-get creds :user)
+                                    (user-real-login-name)))))
+  (plist-put creds :secret
+             (read-passwd "Password: " nil (plist-get creds :secret))))
+(defun url-digest-auth-directory-id-assoc (dirkey keylist)
+  "Find the best match for DIRKEY in key alist KEYLIST.
+The string DIRKEY should be obtained using
+`url-digest-auth-directory-id'.  The key list to search through
+is the alist KEYLIST where car of each element may match DIRKEY.
+If DIRKEY represents a realm, the list is searched only for an
+exact match.  For directory names, an ancestor is sufficient for
+a match."
+  (or
+   ;; Check exact match first.
+   (assoc dirkey keylist)
+   ;; No exact match found.  Continue to look for partial match if
+   ;; dirkey is not a realm.
+   (and (string-match "/" dirkey)
+        (let (match)
+          (while (and (null match) keylist)
+            (if (or
+                 ;; Any realm candidate matches.  Why?
+                 (not (string-match "/" (caar keylist)))
+                 ;; Parent directory matches.
+                 (string-prefix-p (caar keylist) dirkey))
+                (setq match (car keylist))
+              (setq keylist (cdr keylist))))
+          match))))
+(defun url-digest-cached-key (url realm)
+  "Find best match for URL and REALM from `url-digest-auth-storage'.
+The return value is a list consisting of a realm (or a directory)
+a user name, and hashed authentication tokens HA1 and HA2.
+Modifying the contents of the returned list will modify the cache
+variable `url-digest-auth-storage' itself."
+  (url-digest-auth-directory-id-assoc
+   (url-digest-auth-directory-id url realm)
+   (cdr (assoc (url-digest-auth-server-id url) url-digest-auth-storage))))
+(defun url-digest-cache-key (key url)
+  "Add key to `url-digest-auth-storage'.
+KEY has the same format as returned by `url-digest-cached-key'.
+The key is added to cache hierarchy under server id, deduced from
+URL."
+  (let ((serverid (url-digest-auth-server-id url)))
+    (push (list serverid key) url-digest-auth-storage)))
 (defun url-digest-auth-create-key (username password realm method uri)
-  "Create a key for digest authentication method"
+  "Create a key for digest authentication method.
-  (let* ((info (if (stringp uri)
+The USERNAME and PASSWORD are the credentials for REALM and are
-                   (url-generic-parse-url uri)
+used in making a hashed value named HA1.  The HTTP METHOD and URI
-                 uri))
+makes a second hashed value HA2.  These hashes are used in making
-         (a1 (md5 (concat username ":" realm ":" password)))
+the authentication key that can be stored without saving the
-         (a2 (md5 (concat method ":" (url-filename info)))))
+password in plain text.  The return value is a list (HA1 HA2).
-    (list a1 a2)))
+For backward compatibility, URI is allowed to be a URL cl-struct
-(defun url-digest-auth (url &optional prompt overwrite realm args)
+object."
-  "Get the username/password for the specified URL.
+  (and username password realm
-If optional argument PROMPT is non-nil, ask for the username/password
+       (list (url-digest-auth-make-ha1 username realm password)
-to use for the URL and its descendants.  If optional third argument
+             (url-digest-auth-make-ha2 method (cond ((stringp uri) uri)
-OVERWRITE is non-nil, overwrite the old username/password pair if it
+                                                    (t (url-filename uri)))))))
-is found in the assoc list.  If REALM is specified, use that as the realm
-instead of hostname:portnum."
+(defun url-digest-auth-build-response (key url realm attrs)
-  (if args
+  "Compute authorization string for the given challenge using KEY.
-      (let* ((href (if (stringp url)
-                       (url-generic-parse-url url)
+The string looks like 'Digest username=\"John\", realm=\"The
-                     url))
+Realm\", ...'
-             (server (url-host href))
-             (type (url-type href))
+Part of the challenge is already solved in a pre-computed KEY
-             (port (url-port href))
+which is list of a realm (or a directory), user name, and hash
-             (file (url-filename href))
+tokens HA1 and HA2.
-             (enable-recursive-minibuffers t)
-             user pass byserv retval data)
+Some fields are filled as is from the given URL, REALM, and
-        (setq file (cond
+using the contents of alist ATTRS.
-                    (realm realm)
-                    ((string-match "/$" file) file)
+ATTRS is expected to contain at least the server's \"nonce\"
-                    (t (url-file-directory file)))
+value.  It also might contain the optional \"opaque\" value.
-              server (format "%s:%d" server port)
+Newer implementations conforming to RFC 2617 should also contain
-              byserv (cdr-safe (assoc server url-digest-auth-storage)))
+qop (Quality Of Protection) and related attributes.
-        (cond
-         ((and prompt (not byserv))
+Restrictions on Quality of Protection scheme: The qop value
-          (setq user (or
+\"auth-int\" or algorithm any other than \"MD5\" are not
-                      (url-do-auth-source-search server type :user)
+implemented."
-                      (read-string (url-auth-user-prompt url realm)
-                                   (user-real-login-name)))
+  (when key
-                pass (or
+    (let ((user (nth 1 key))
-                      (url-do-auth-source-search server type :secret)
+          (ha1 (nth 2 key))
-                      (read-passwd "Password: "))
+          (ha2 (nth 3 key))
-                url-digest-auth-storage
+          (digest-uri (url-filename url))
-                (cons (list server
+          (qop (cdr-safe (assoc "qop" attrs)))
-                            (cons file
+          (nonce (cdr-safe (assoc "nonce" attrs)))
-                                  (setq retval
+          (opaque (cdr-safe (assoc "opaque" attrs))))
-                                        (cons user
-                                              (url-digest-auth-create-key
+      (concat
-                                               user pass realm
+       "Digest "
-                                               (or url-request-method "GET")
+       (url-digest-auth-name-value-string
-                                               url)))))
+        (append (list (cons 'username user)
-                      url-digest-auth-storage)))
+                      (cons 'realm realm)
-         (byserv
+                      (cons 'nonce nonce)
-          (setq retval (cdr-safe (assoc file byserv)))
+                      (cons 'uri digest-uri))
-          (if (and (not retval)         ; no exact match, check directories
-                   (string-match "/" file)) ; not looking for a realm
+                (cond
-              (while (and byserv (not retval))
+                 ((null qop)
-                (setq data (car (car byserv)))
+                  (list (cons 'response (url-digest-auth-make-request-digest
-                (if (or (not (string-match "/" data))
+                                         ha1 ha2 nonce))))
-                        (and
+                 ((string= qop "auth")
-                         (>= (length file) (length data))
+                  (let ((nc (url-digest-auth-nonce-count nonce))
-                         (string= data (substring file 0 (length data)))))
+                        (cnonce (url-digest-auth-make-cnonce)))
-                    (setq retval (cdr (car byserv))))
+                    (list (cons 'qop qop)
-                (setq byserv (cdr byserv))))
+                          (cons 'nc nc)
-          (if overwrite
+                          (cons 'cnonce cnonce)
-              (if (and (not retval) prompt)
+                          (cons 'response
-                  (setq user (or
+                                (url-digest-auth-make-request-digest-qop
-                              (url-do-auth-source-search server type :user)
+                                 qop ha1 ha2 nonce nc cnonce)))))
-                              (read-string (url-auth-user-prompt url realm)
+                 (t (message "Quality of protection \"%s\" is not implemented." qop)
-                                           (user-real-login-name)))
+                    nil))
-                        pass (or
-                              (url-do-auth-source-search server type :secret)
-                              (read-passwd "Password: "))
+                (if opaque (list (cons 'opaque opaque)))))))))
-                        retval (setq retval
-                                     (cons user
+(defun url-digest-find-creds (url prompt &optional realm)
-                                           (url-digest-auth-create-key
+  "Find or ask credentials for URL.
-                                            user pass realm
-                                            (or url-request-method "GET")
+Primary method for finding credentials is from Emacs auth-source.
-                                            url)))
+If password isn't found, and PROMPT is non-nil, query credentials
-                        byserv (assoc server url-digest-auth-storage))
+via minibuffer.  Optional REALM may be used when prompting as a
-                (setcdr byserv
+hint to the user.
-                        (cons (cons file retval) (cdr byserv))))))
-         (t (setq retval nil)))
+Return value is nil in case either user name or password wasn't
-        (if retval
+found.  Otherwise, it's a plist containing `:user' and `:secret'.
-            (if (cdr-safe (assoc "opaque" args))
+Additional `:source' property denotes the origin of the
-                (let ((nonce (or (cdr-safe (assoc "nonce" args)) "nonegiven"))
+credentials and its value can be either symbol `authsource' or
-                      (opaque (cdr-safe (assoc "opaque" args))))
+`interactive'."
-                  (format
+  (let ((creds (url-digest-auth-source-creds url)))
-                   (concat "Digest username=\"%s\", realm=\"%s\","
-                           "nonce=\"%s\", uri=\"%s\","
+    ;; If credentials weren't found and prompting is allowed, prompt
-                           "response=\"%s\", opaque=\"%s\"")
+    ;; the user.
-                   (nth 0 retval) realm nonce (url-filename href)
+    (if (and prompt
-                   (md5 (concat (nth 1 retval) ":" nonce ":"
+             (or (null creds)
-                                (nth 2 retval))) opaque))
+                 (null (plist-get creds :secret))))
-              (let ((nonce (or (cdr-safe (assoc "nonce" args)) "nonegiven")))
+        (progn
-                (format
+          (setq creds (url-digest-prompt-creds url realm creds))
-                 (concat "Digest username=\"%s\", realm=\"%s\","
+          (plist-put creds :source 'interactive))
-                         "nonce=\"%s\", uri=\"%s\","
+      (plist-put creds :source 'authsource))
-                         "response=\"%s\"")
-                 (nth 0 retval) realm nonce (url-filename href)
+    (and (plist-get creds :user)
-                 (md5 (concat (nth 1 retval) ":" nonce ":"
+         (plist-get creds :secret)
-                              (nth 2 retval))))))))))
+         creds)))
+(defun url-digest-find-new-key (url realm prompt)
+  "Find credentials and create a new authorization key for given URL and REALM.
+Return value is the new key, or nil if credentials weren't found.
+\"New\" in this context means a key that's not yet found in cache
+variable `url-digest-auth-storage'.  You may use `url-digest-cache-key'
+to put it there.
+This function uses `url-digest-find-creds' to find the
+credentials.  It first looks in auth-source.  If not found, and
+PROMPT is non-nil, user is asked for credentials interactively
+via minibuffer."
+  (let (creds)
+    (unwind-protect
+        (if (setq creds (url-digest-find-creds url prompt realm))
+            (cons (url-digest-auth-directory-id url realm)
+                  (cons (plist-get creds :user)
+                        (url-digest-auth-create-key
+                         (plist-get creds :user)
+                         (plist-get creds :secret)
+                         realm
+                         (or url-request-method "GET")
+                         (url-filename url)))))
+      (if (and creds
+               ;; Don't clear secret for `authsource' since it will
+               ;; corrupt any future fetches for it.
+               (not (eq (plist-get creds :source) 'authsource)))
+          (clear-string (plist-get creds :secret))))))
+(defun url-digest-auth (url &optional prompt overwrite realm attrs)
+  "Get the HTTP Digest response string for the specified URL.
+If optional argument PROMPT is non-nil, ask for the username and
+password to use for the URL and its descendants but only if one
+cannot be found from cache.  Look also in Emacs auth-source.
+If optional third argument OVERWRITE is non-nil, overwrite the
+old credentials, if they're found in cache, with new ones from
+user prompt or from Emacs auth-source.
+If REALM is specified, use that instead of the URL descendant
+method to match cached credentials.
+Alist ATTRS contains additional attributes for the authentication
+challenge such as nonce and opaque."
+  (if attrs
+      (let* ((href (if (stringp url) (url-generic-parse-url url) url))
+             (enable-recursive-minibuffers t)
+             (key (url-digest-cached-key href realm)))
+        (if (or (null key) overwrite)
+            (let ((newkey (url-digest-find-new-key href realm (cond
+                                                               (key nil)
+                                                               (t prompt)))))
+              (if (and newkey key overwrite)
+                  (setcdr key (cdr newkey))
+                (if (and newkey (null key))
+                    (url-digest-cache-key (setq key newkey) href)))))
+        (if key
+            (url-digest-auth-build-response key href realm attrs)))))
 (defvar url-registered-auth-schemes nil
  "A list of the registered authorization schemes and various and sundry