[PATCH] httpd: fix username verification with md5 auth

Peter Korsgaard jacmet at uclibc.org
Fri Jun 13 10:27:02 UTC 2008


>>>>> "Denys" == Denys Vlasenko <vda.linux at googlemail.com> writes:

[resend with proper from:]

Hi,

 >> if (strcmp(p, request) == 0) {
 >> set_remoteuser_var:
 >> -				remoteuser = xstrndup(request, u - request);
 >> +				remoteuser = xstrndup(request, strchr(request, ':') - request);

 Denys> Here where request without ':' will bite us.

Actually, thinking about it a bit more - This cannot happen as the
strcmp() wouldn't match. Notice that we could use 'p' here instead of
'request' and the result would be the same.

-- 
Bye, Peter Korsgaard



More information about the busybox mailing list