[mod_authn_dbi] copy strings before escaping

dbi_conn_escape_string_copy() requires '\0'-terminated string. While that is currently the case for strings in http_auth_info_t, that will soon change, so consumers must use ai->username with ai->ulen, and ai->realm with ai->rlen
12 months ago · 60b773a6cb
1 changed files with 15 additions and 2 deletions
--- a/src/mod_authn_dbi.c
+++ b/src/mod_authn_dbi.c
@ -416,6 +416,7 @@ mod_authn_dbi_password_cmp (const char *userpw, unsigned long userpwlen, http_au
 static buffer *
 mod_authn_dbi_query_build (buffer * const sqlquery, dbi_config * const dbconf, http_auth_info_t * const ai)
 {
+    char buf[1024];
    buffer_clear(sqlquery);
    int qcount = 0;
    for (char *b = dbconf->sqlquery->ptr, *d; *b; b = d+1) {
@ -427,10 +428,22 @@ mod_authn_dbi_query_build (buffer * const sqlquery, dbi_config * const dbconf, h
            const char *v;
            switch (++qcount) {
              case 1:
-                v = ai->username;
+                if (ai->ulen < sizeof(buf)) {
+                    memcpy(buf, ai->username, ai->ulen);
+                    buf[ai->ulen] = '\0';
+                    v = buf;
+                }
+                else
+                    return NULL;
                break;
              case 2:
-                v = ai->realm;
+                if (ai->rlen < sizeof(buf)) {
+                    memcpy(buf, ai->realm, ai->rlen);
+                    buf[ai->rlen] = '\0';
+                    v = buf;
+                }
+                else
+                    return NULL;
                break;
              case 3:
                if (ai->dalgo & HTTP_AUTH_DIGEST_SHA256)