* fixed mem-leak in mod_auth (reported by Stefan Esser)

* fixed crash with md5-sess and cnonce not set in mod_auth (reported
  by Stefan Esser)
* fixed missing check for base64 encoded string in mod_auth and Basic
  auth (reported by Stefan Esser)
* fixed possible crash in Auth-Digest header parser on trailing WS in
  mod_auth (reported by Stefan Esser)


git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@1875 152afb58-edef-0310-8abb-c4023f1b3aa9

NEWS

@@ -13,6 +13,12 @@ NEWS
   * fixed circumventing url.access-deny by trailing slash (#1230)
   * fixed crash on duplicate headers with trailing WS (#1232)
   * fixed accepting more connections then requested (#1216)
+  * fixed mem-leak in mod_auth (reported by Stefan Esser)
+  * fixed crash with md5-sess and cnonce not set in mod_auth (reported by Stefan Esser)
+  * fixed missing check for base64 encoded string in mod_auth and Basic auth
+    (reported by Stefan Esser)
+  * fixed possible crash in Auth-Digest header parser on trailing WS in 
+    mod_auth (reported by Stefan Esser) 
 
 - 1.4.15 - 2007-04-13
 

src/http_auth.c

@@ -830,7 +830,13 @@ int http_auth_basic_check(server *srv, connection *con, mod_auth_plugin_data *p,
 
 	username = buffer_init();
 
-	base64_decode(username, realm_str);
+	if (!base64_decode(username, realm_str)) {
+		buffer_free(username);
+
+		log_error_write(srv, __FILE__, __LINE__, "sb", "decodeing base64-string failed", username);
+
+		return 0;
+	}
 
 	/* r2 == user:password */
 	if (NULL == (pw = strchr(username->ptr, ':'))) {
@@ -967,7 +973,7 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p
 	for (c = b->ptr; *c; c++) {
 		/* skip whitespaces */
 		while (*c == ' ' || *c == '\t') c++;
-		if (!c) break;
+		if (!*c) break;
 
 		for (i = 0; dkv[i].key; i++) {
 			if ((0 == strncmp(c, dkv[i].key, dkv[i].key_len))) {
@@ -1016,6 +1022,21 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p
 
 		log_error_write(srv, __FILE__, __LINE__, "s",
 				"digest: missing field");
+
+		buffer_free(b);
+		return -1;
+	}
+
+	/**
+	 * protect the md5-sess against missing cnonce and nonce
+	 */
+	if (algorithm &&
+	    0 == strcasecmp(algorithm, "md5-sess") &&
+	    (!nonce || !cnonce)) {
+		log_error_write(srv, __FILE__, __LINE__, "s",
+				"digest: (md5-sess: missing field");
+
+		buffer_free(b);
 		return -1;
 	}
 

tests/mod-auth.t

@@ -8,7 +8,7 @@ BEGIN {
 
 use strict;
 use IO::Socket;
-use Test::More tests => 10;
+use Test::More tests => 13;
 use LightyTest;
 
 my $tf = LightyTest->new();
@@ -93,6 +93,43 @@ EOF
 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 ok($tf->handle_http($t) == 0, 'Digest-Auth: missing nc (noncecount instead), no crash');
 
+$t->{REQUEST}  = ( <<EOF
+GET /server-status HTTP/1.0
+Authorization: Basic =
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
+ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid Base64');
+
+
+$t->{REQUEST}  = ( <<EOF
+GET /server-status HTTP/1.0
+User-Agent: Wget/1.9.1
+Authorization: Digest username="jan", realm="jan",
+	nonce="b1d12348b4620437c43dd61c50ae4639", algorithm="md5-sess",
+	uri="/MJ-BONG.xm.mpc", qop=auth, noncecount=00000001",
+	cnonce="036FCA5B86F7E7C4965C7F9B8FE714B7",
+	nc="asd",
+	response="29B32C2953C763C6D033C8A49983B87E"
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
+ok($tf->handle_http($t) == 0, 'Digest-Auth: md5-sess + missing cnonce');
+
+$t->{REQUEST}  = ( <<EOF
+GET /server-status HTTP/1.0
+User-Agent: Wget/1.9.1
+Authorization: Digest username="jan", realm="jan",
+	nonce="b1d12348b4620437c43dd61c50ae4639", algorithm="md5-sess",
+	uri="/MJ-BONG.xm.mpc", qop=auth, noncecount=00000001",
+	cnonce="036FCA5B86F7E7C4965C7F9B8FE714B7",
+	nc="asd",
+	response="29B32C2953C763C6D033C8A49983B87E"     
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
+ok($tf->handle_http($t) == 0, 'Digest-Auth: trailing WS');
+
 
 
 ok($tf->stop_proc == 0, "Stopping lighttpd");