[PATCH] httpd: fix username verification with md5 auth
Peter Korsgaard
jacmet at uclibc.org
Fri Jun 13 10:27:02 UTC 2008
>>>>> "Denys" == Denys Vlasenko <vda.linux at googlemail.com> writes:
[resend with proper from:]
Hi,
>> if (strcmp(p, request) == 0) {
>> set_remoteuser_var:
>> - remoteuser = xstrndup(request, u - request);
>> + remoteuser = xstrndup(request, strchr(request, ':') - request);
Denys> Here where request without ':' will bite us.
Actually, thinking about it a bit more - This cannot happen as the
strcmp() wouldn't match. Notice that we could use 'p' here instead of
'request' and the result would be the same.
--
Bye, Peter Korsgaard
More information about the busybox
mailing list