[mod_auth] fix Basic auth passwd cache (fixes #3112)

(thx manfred)

Basic auth passwd cache might fail to match when it should have
matched (false negative) when comparing an uninitialized byte.
That bug "fails closed" and does not use the cache when it could.
This patch allows for proper match in the cache when it should match.

x-ref:
  https://redmine.lighttpd.net/issues/3112
  "mod_auth cache password doesn't match"

INSTALL

@@ -141,6 +141,7 @@ required packages to run test harness ::
   perl-HTTP-Message
   perl-IO-HTML
   perl-LWP-MediaTypes
+  perl-Test-Harness
   perl-Tie-Function
   perl-TimeDate
 

src/fdlog.h

@@ -5,12 +5,12 @@
 #include "base_decls.h"
 #include "buffer.h"
 
-typedef struct fdlog_st {
+struct fdlog_st {
     enum { FDLOG_FILE, FDLOG_FD, FDLOG_SYSLOG, FDLOG_PIPE } mode;
     int fd;
     buffer b;
     const char *fn;
-} fdlog_st;
+};
 
 __attribute_cold__
 __attribute_returns_nonnull__

src/h2.c

@@ -1742,6 +1742,7 @@ h2_init_con (request_st * const restrict h2r, connection * const restrict con, c
     con->read_idle_ts = log_monotonic_secs;
     con->keep_alive_idle = h2r->conf.max_keep_alive_idle;
 
+    /*(h2r->h2_rwin must match value assigned in h2_init_stream())*/
     h2r->h2_rwin = 65535;                 /* h2 connection recv window */
     h2r->h2_swin = 65535;                 /* h2 connection send window */
     /* settings sent from peer */         /* initial values */
@@ -2552,7 +2553,7 @@ h2_init_stream (request_st * const h2r, connection * const con)
     /* XXX: TODO: assign default priority, etc.
      *      Perhaps store stream id and priority in separate table */
     h2c->r[h2c->rused++] = r;
-    r->h2_rwin = h2c->s_initial_window_size;
+    r->h2_rwin = 65535; /* must keep in sync with h2_init_con() */
     r->h2_swin = h2c->s_initial_window_size;
     r->http_version = HTTP_VERSION_2;
 

src/mod_auth.c

@@ -63,7 +63,7 @@ http_auth_cache_entry_init (const struct http_auth_require_t * const require, co
      *(store pointer to http_auth_require_t, which is persistent
      * and will be different for each realm + permissions combo)*/
     http_auth_cache_entry * const ae =
-      malloc(sizeof(http_auth_cache_entry) + ulen + pwlen);
+      malloc(sizeof(http_auth_cache_entry) + ulen + pwlen+1);
     force_assert(ae);
     ae->require = require;
     ae->ctime = log_monotonic_secs;
@@ -74,6 +74,7 @@ http_auth_cache_entry_init (const struct http_auth_require_t * const require, co
     ae->pwdigest = ae->username + ulen;
     memcpy(ae->username, username, ulen);
     memcpy(ae->pwdigest, pw, pwlen);
+    ae->pwdigest[pwlen] = '\0';
     return ae;
 }
 

src/mod_extforward.c

@@ -43,28 +43,13 @@
  *       config. However "all" has effect only on connecting IP, as the
  *       X-Forwarded-For header can not be trusted.
  *
- * Note: The effect of this module is variable on $HTTP["remotip"] directives and
+ * Note: The effect of this module is variable on $HTTP["remoteip"] directives and
  *       other module's remote ip dependent actions.
  *  Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
  *  Things done in between these two moments will match on the real client's IP.
  *  The moment things are done by a module depends on in which hook it does things and within the same hook
  *  on whether they are before/after us in the module loading order
  *  (order in the server.modules directive in the config file).
- *
- * Tested behaviours:
- *
- *  mod_access: Will match on the real client.
- *
- *  mod_accesslog:
- *   In order to see the "real" ip address in access log ,
- *   you'll have to load mod_extforward after mod_accesslog.
- *   like this:
- *
- *    server.modules  = (
- *       .....
- *       mod_accesslog,
- *       mod_extforward
- *    )
  */
 
 
@@ -1218,7 +1203,6 @@ int mod_extforward_plugin_init(plugin *p) {
 	p->handle_connection_accept = mod_extforward_handle_con_accept;
 	p->handle_uri_raw = mod_extforward_uri_handler;
 	p->handle_request_env = mod_extforward_handle_request_env;
-	p->handle_request_done = mod_extforward_restore;
 	p->handle_request_reset = mod_extforward_restore;
 	p->handle_connection_close = mod_extforward_handle_con_close;
 	p->set_defaults  = mod_extforward_set_defaults;