* fixed mem-leak in mod_auth (reported by Stefan Esser)

* fixed crash with md5-sess and cnonce not set in mod_auth (reported
  by Stefan Esser)
* fixed missing check for base64 encoded string in mod_auth and Basic
  auth (reported by Stefan Esser)
* fixed possible crash in Auth-Digest header parser on trailing WS in
  mod_auth (reported by Stefan Esser)


git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@1875 152afb58-edef-0310-8abb-c4023f1b3aa9
svn/tags/lighttpd-1.4.16
Jan Kneschke 16 years ago
parent b2a96c959a
commit 15e260c28b

@ -13,6 +13,12 @@ NEWS
* fixed circumventing url.access-deny by trailing slash (#1230)
* fixed crash on duplicate headers with trailing WS (#1232)
* fixed accepting more connections then requested (#1216)
* fixed mem-leak in mod_auth (reported by Stefan Esser)
* fixed crash with md5-sess and cnonce not set in mod_auth (reported by Stefan Esser)
* fixed missing check for base64 encoded string in mod_auth and Basic auth
(reported by Stefan Esser)
* fixed possible crash in Auth-Digest header parser on trailing WS in
mod_auth (reported by Stefan Esser)
- 1.4.15 - 2007-04-13

@ -830,7 +830,13 @@ int http_auth_basic_check(server *srv, connection *con, mod_auth_plugin_data *p,
username = buffer_init();
base64_decode(username, realm_str);
if (!base64_decode(username, realm_str)) {
buffer_free(username);
log_error_write(srv, __FILE__, __LINE__, "sb", "decodeing base64-string failed", username);
return 0;
}
/* r2 == user:password */
if (NULL == (pw = strchr(username->ptr, ':'))) {
@ -967,7 +973,7 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p
for (c = b->ptr; *c; c++) {
/* skip whitespaces */
while (*c == ' ' || *c == '\t') c++;
if (!c) break;
if (!*c) break;
for (i = 0; dkv[i].key; i++) {
if ((0 == strncmp(c, dkv[i].key, dkv[i].key_len))) {
@ -1016,6 +1022,21 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p
log_error_write(srv, __FILE__, __LINE__, "s",
"digest: missing field");
buffer_free(b);
return -1;
}
/**
* protect the md5-sess against missing cnonce and nonce
*/
if (algorithm &&
0 == strcasecmp(algorithm, "md5-sess") &&
(!nonce || !cnonce)) {
log_error_write(srv, __FILE__, __LINE__, "s",
"digest: (md5-sess: missing field");
buffer_free(b);
return -1;
}

@ -8,7 +8,7 @@ BEGIN {
use strict;
use IO::Socket;
use Test::More tests => 10;
use Test::More tests => 13;
use LightyTest;
my $tf = LightyTest->new();
@ -93,6 +93,43 @@ EOF
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
ok($tf->handle_http($t) == 0, 'Digest-Auth: missing nc (noncecount instead), no crash');
$t->{REQUEST} = ( <<EOF
GET /server-status HTTP/1.0
Authorization: Basic =
EOF
);
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid Base64');
$t->{REQUEST} = ( <<EOF
GET /server-status HTTP/1.0
User-Agent: Wget/1.9.1
Authorization: Digest username="jan", realm="jan",
nonce="b1d12348b4620437c43dd61c50ae4639", algorithm="md5-sess",
uri="/MJ-BONG.xm.mpc", qop=auth, noncecount=00000001",
cnonce="036FCA5B86F7E7C4965C7F9B8FE714B7",
nc="asd",
response="29B32C2953C763C6D033C8A49983B87E"
EOF
);
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
ok($tf->handle_http($t) == 0, 'Digest-Auth: md5-sess + missing cnonce');
$t->{REQUEST} = ( <<EOF
GET /server-status HTTP/1.0
User-Agent: Wget/1.9.1
Authorization: Digest username="jan", realm="jan",
nonce="b1d12348b4620437c43dd61c50ae4639", algorithm="md5-sess",
uri="/MJ-BONG.xm.mpc", qop=auth, noncecount=00000001",
cnonce="036FCA5B86F7E7C4965C7F9B8FE714B7",
nc="asd",
response="29B32C2953C763C6D033C8A49983B87E"
EOF
);
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
ok($tf->handle_http($t) == 0, 'Digest-Auth: trailing WS');
ok($tf->stop_proc == 0, "Stopping lighttpd");

Loading…
Cancel
Save