[PATCH] httpd: fix username verification with md5 auth
Peter Korsgaard
jacmet at uclibc.org
Fri Jun 13 11:44:19 UTC 2008
>>>>> "Denys" == Denys Vlasenko <vda.linux at googlemail.com> writes:
>> Actually, thinking about it a bit more - This cannot happen as the
>> strcmp() wouldn't match.
Denys> There is no code which ensures that ':' exists *in config file*.
Denys> It seems like there is no code to ensure that leading '/' is there too.
Denys> Find this comment:
Denys> //TODO: we do not test for leading "/"??
Denys> //also, do we leak cur if BASIC_AUTH is off?
>> Notice that we could use 'p' here instead of
>> 'request' and the result would be the same.
Denys> Thus p can very well be lacking ':'.
Ok, but then it's a configuration problem, rather than a remote
security issue - Not to say, that we shouldn't be more robust when we
parse the conf gile.
--
Bye, Peter Korsgaard
More information about the busybox
mailing list