array_get_element_klen() is now intended for read-only access
array_get_data_unset() is used by config processing for r/w access
array_get_buf_ptr() is used for r/w access to ds->value (string buffer)
lighttpd requires a strict match between the request URI and the uri=
auth-param provided in the Authenticate header. lighttpd does not
attempt to determine if different URIs are semantically equivalent.
This commit removes a condition which permitted an Authenticate header
with a uri= containing a query-string to be used with the request-uri
which did not contain any query-string. The condition was likely added
in the original implementation which operated on lighttpd request.uri
instead of the correct request.orig_uri (original URI sent to lighttpd).
.
HTTP Digest Access Authentication
https://www.rfc-editor.org/rfc/rfc7616.txt
3.4.6. Various Considerations
The authenticating server MUST assure that the resource designated by
the "uri" parameter is the same as the resource specified in the
Request-Line; if they are not, the server SHOULD return a 400 Bad
Request error. (Since this may be a symptom of an attack, server
implementers may want to consider logging such errors.) The purpose
of duplicating information from the request URL in this field is to
deal with the possibility that an intermediate proxy may alter the
client's Request-Line. This altered (but presumably semantically
equivalent) request would not result in the same digest as that
calculated by the client.
x-ref:
"HTTP Digest Access Authentication"
https://www.rfc-editor.org/rfc/rfc7616.txt
"HTTP digest authentication not compatible with some clients"
https://redmine.lighttpd.net/issues/2974
https://www.rfc-editor.org/rfc/rfc7616.txt
3.3. The WWW-Authenticate Response Header Field
...
For historical reasons, a sender MUST only generate the quoted string
syntax values for the following parameters: realm, domain, nonce,
opaque, and qop.
For historical reasons, a sender MUST NOT generate the quoted string
syntax values for the following parameters: stale and algorithm.
specialized buffer_eq_icase_ssn func replace strncasecmp()
in cases where string lengths are not known to be at least
as large as the len being compared case-insensitively.
(Separate commit in case any future changes modify the
implementation to be unsafe for shorter strings, where
strncasecmp() would stop at '\0' in either string)
save 40 bytes (64-bit), or 16 bytes (32-bit) per data_* element
at the cost of going through indirect function pointer to execute
methods. At runtime, the reset() method is most used among them.
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
More specific checks on contents of array lists. Each module using
lists now does better checking on the types of values in the list
(strings, integers, arrays/lists)
This helps prevent misconfiguration of things like cgi.assign,
fastcgi.server, and scgi.server, where source code might be
served as static files if parenthesis are misplaced.
x-ref:
https://redmine.lighttpd.net/boards/2/topics/6571
Set auth.extern-authn = "enable" to check REMOTE_USER (if set) against
require rules, and proceed if allowed. If REMOTE_USER is not present,
or the require rules do not match, then check configured auth scheme.
REMOTE_USER might be set by another module, e.g. mod_openssl client cert
verification and REMOTE_USER configured with ssl.verifyclient.username)
x-ref:
"[mod_auth] allow SSL clientcert authenticated users to bypass AUTH"
https://redmine.lighttpd.net/issues/2481
prefer RAND_pseudo_bytes() (openssl), arc4random() or jrand48(),
if available, over rand()
These are not necessarily cryptographically secure, but should be better
than rand()
HTTP Basic auth backends now do both authn and authz
in order to allow provide a means to extend backends to optionally
support group authz
x-ref:
"LDAP-Group support for HTTP-Authentication"
https://redmine.lighttpd.net/issues/1817
fix potential NULL pointer dereference in mod_deflate.c
remove logically dead code in connection-glue.c
add coverity annotations to see if some issues will be reclassified
create new, extensible interface for (additional) auth backends
attempt to handle HANDLER_WAIT_FOR_EVENT returned by auth backends
to allow for async auth backends (e.g. to mysql database)
separate auth backends from mod_auth and http_auth
mod_authn_file.c htdigest, htpasswd, plain auth backends
mod_authn_ldap.c ldap auth backend
add http_auth.c to common_sources for auth backend registration
(mod_authn_file could be three separate modules, but no need for now)
Make Digest authentication more compliant with RFC.
Excerpt from https://www.rfc-editor.org/rfc/rfc7616.txt Section 5.13:
The bottom line is that any compliant implementation will be
relatively weak by cryptographic standards, but any compliant
implementation will be far superior to Basic Authentication.
x-ref:
"Serious security problem in Digest Authentication"
https://redmine.lighttpd.net/issues/1844
buffer.c:itostr() undefined behavior taking modulus of negative number
additional minor code changes made to quiet other coverity warnings
(false positives)
also change passing of fixed-sized arrays: need to pass pointer to array
as otherwise size does not get enforced
From: Glenn Strauss <gstrauss@gluelogic.com>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3135 152afb58-edef-0310-8abb-c4023f1b3aa9
Mohammed Sadiq