[PATCH] httpd: fix username verification with md5 auth
Peter Korsgaard
jacmet at uclibc.org
Fri Jun 13 17:12:38 UTC 2008
>>>>> "Denys" == Denys Vlasenko <vda.linux at googlemail.com> writes:
Hi,
>> >> if (strcmp(p, request) == 0) {
>> >> set_remoteuser_var:
>> >> - remoteuser = xstrndup(request, u - request);
>> >> + remoteuser = xstrndup(request, strchr(request, ':') - request);
>>
Denys> Here where request without ':' will bite us.
>>
>> Actually, thinking about it a bit more - This cannot happen as the
>> strcmp() wouldn't match.
Denys> There is no code which ensures that ':' exists *in config file*.
Denys> It seems like there is no code to ensure that leading '/' is
Denys> there too. Find this comment:
Denys> //TODO: we do not test for leading "/"??
Denys> //also, do we leak cur if BASIC_AUTH is off?
>> Notice that we could use 'p' here instead of
>> 'request' and the result would be the same.
Denys> Thus p can very well be lacking ':'.
No, as this code will only be entered if the strcmp() matches.
--
Bye, Peter Korsgaard
More information about the busybox
mailing list