From c008fd7ec8ce65623bff085c6cfa0274ebba3cc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20B=C3=BChler?= Date: Sat, 29 Jun 2013 09:45:27 +0000 Subject: [PATCH] [mod_auth] fix invalid read in digest qop=auth-int handling (fixes #2478) git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2877 152afb58-edef-0310-8abb-c4023f1b3aa9 --- NEWS | 1 + src/http_auth.c | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 67b7377b..cd634c10 100644 --- a/NEWS +++ b/NEWS @@ -16,6 +16,7 @@ NEWS * fix some bugs found with canalyze (fixes #2484, thx Zhenbo Xu) * fix undefined stuff found with clang * [cmake] Use TARGET_LINK_LIBRARIES instead of LINK_FLAGS for library dependencies, also add -Wl,--as-needed to extra warnings (fixes #2448) + * [mod_auth] fix invalid read in digest qop=auth-int handling (fixes #2478) - 1.4.32 - 2012-11-21 * Code cleanup with clang/sparse (fixes #2437, thx kibi) diff --git a/src/http_auth.c b/src/http_auth.c index 5100e06a..447e2f9a 100644 --- a/src/http_auth.c +++ b/src/http_auth.c @@ -934,6 +934,7 @@ typedef struct { char **ptr; } digest_kv; +/* return values: -1: error/bad request, 0: failed, 1: success */ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, buffer *url, const char *realm_str) { char a1[256]; char a2[256]; @@ -1071,6 +1072,14 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p return -1; } + if (qop && strcasecmp(qop, "auth-int") == 0) { + log_error_write(srv, __FILE__, __LINE__, "s", + "digest: qop=auth-int not supported"); + + buffer_free(b); + return -1; + } + m = get_http_method_name(con->request.http_method); /* password-string == HA1 */ @@ -1131,10 +1140,13 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); + /* qop=auth-int not supported, already checked above */ +/* if (qop && strcasecmp(qop, "auth-int") == 0) { li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); + li_MD5_Update(&Md5Ctx, (unsigned char *) [body checksum], HASHHEXLEN); } +*/ li_MD5_Final(HA2, &Md5Ctx); CvtHex(HA2, HA2Hex);