mirror/mongoose
1
0
Fork 0
mirror of https://github.com/cesanta/mongoose.git synced 2025-08-05 13:14:11 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Fix digest auth result comparison

Browse Source 
Should use length of the exected response, not the response sent by the user.

CL: mg: Fix digest auth result comparison

PUBLISHED_FROM=23375133b8babac0b276b51395917ad975e1bd3c
This commit is contained in:
Deomid Ryabkov 2018-10-15 16:16:14 +01:00 committed by Cesanta Bot
parent c438bb0bc5
commit 220231e647
2 changed files with 10 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
mongoose.c
View File

@ -7668,7 +7668,7 @@ int mg_check_digest_auth(struct mg_str method, struct mg_str uri,
struct mg_str nc, struct mg_str nonce, struct mg_str nc, struct mg_str nonce,
struct mg_str auth_domain, FILE *fp) { struct mg_str auth_domain, FILE *fp) {
char buf[128], f_user[sizeof(buf)], f_ha1[sizeof(buf)], f_domain[sizeof(buf)]; char buf[128], f_user[sizeof(buf)], f_ha1[sizeof(buf)], f_domain[sizeof(buf)];
char expected_response[33]; char exp_resp[33];
/* /*
* Read passwords file line by line. If should have htdigest format, * Read passwords file line by line. If should have htdigest format,
@ -7682,11 +7682,10 @@ int mg_check_digest_auth(struct mg_str method, struct mg_str uri,
/* Username and domain matched, check the password */ /* Username and domain matched, check the password */
mg_mkmd5resp(method.p, method.len, uri.p, uri.len, f_ha1, strlen(f_ha1), mg_mkmd5resp(method.p, method.len, uri.p, uri.len, f_ha1, strlen(f_ha1),
nonce.p, nonce.len, nc.p, nc.len, cnonce.p, cnonce.len, nonce.p, nonce.len, nc.p, nc.len, cnonce.p, cnonce.len,
qop.p, qop.len, expected_response); qop.p, qop.len, exp_resp);
LOG(LL_DEBUG, LOG(LL_DEBUG, ("%.*s %s %.*s %s", (int) username.len, username.p,
("%.*s %s %.*s %s", (int) username.len, username.p, f_domain, f_domain, (int) response.len, response.p, exp_resp));
(int) response.len, response.p, expected_response)); return mg_ncasecmp(response.p, exp_resp, strlen(exp_resp)) == 0;
return mg_ncasecmp(response.p, expected_response, response.len) == 0;
} }
} }

11
src/mg_http.c
View File

@ -1923,7 +1923,7 @@ int mg_check_digest_auth(struct mg_str method, struct mg_str uri,
struct mg_str nc, struct mg_str nonce, struct mg_str nc, struct mg_str nonce,
struct mg_str auth_domain, FILE *fp) { struct mg_str auth_domain, FILE *fp) {
char buf[128], f_user[sizeof(buf)], f_ha1[sizeof(buf)], f_domain[sizeof(buf)]; char buf[128], f_user[sizeof(buf)], f_ha1[sizeof(buf)], f_domain[sizeof(buf)];
char expected_response[33]; char exp_resp[33];
/* /*
* Read passwords file line by line. If should have htdigest format, * Read passwords file line by line. If should have htdigest format,
@ -1937,11 +1937,10 @@ int mg_check_digest_auth(struct mg_str method, struct mg_str uri,
/* Username and domain matched, check the password */ /* Username and domain matched, check the password */
mg_mkmd5resp(method.p, method.len, uri.p, uri.len, f_ha1, strlen(f_ha1), mg_mkmd5resp(method.p, method.len, uri.p, uri.len, f_ha1, strlen(f_ha1),
nonce.p, nonce.len, nc.p, nc.len, cnonce.p, cnonce.len, nonce.p, nonce.len, nc.p, nc.len, cnonce.p, cnonce.len,
qop.p, qop.len, expected_response); qop.p, qop.len, exp_resp);
LOG(LL_DEBUG, LOG(LL_DEBUG, ("%.*s %s %.*s %s", (int) username.len, username.p,
("%.*s %s %.*s %s", (int) username.len, username.p, f_domain, f_domain, (int) response.len, response.p, exp_resp));
(int) response.len, response.p, expected_response)); return mg_ncasecmp(response.p, exp_resp, strlen(exp_resp)) == 0;
return mg_ncasecmp(response.p, expected_response, response.len) == 0;
} }
} }