Ticket #1456 (closed defect: fixed)

Opened 6 months ago

Last modified 5 months ago

http authorization header case problem

Reported by: mickael9@gmail.com Assigned to: jan
Priority: normal Milestone: 1.4.19
Component: mod_auth Version: 1.4.18
Severity: minor Keywords: mod_auth basic digest authorization
Cc: Blocking:
Need Feedback: 0

Description

Hi, I noticed that lighttpd doesn't use case-sensitive comparaisons for the "Basic" and "Digest" authtorization method (mod_auth.c:251 and mod_auth.c:257)

Fix: replace strncmp to strncasecmp.

For example, PHP sends Authorization: BASIC Zm9vOmJhcg== (and it's not recognized by lighttpd)

Attachments

Change History

(follow-up: ↓ 2 ) 11/15/2007 05:23:21 PM changed by ralf

dont use strncasecmp() here, because: 

strncasecmp ("basicY", "basicX", 5)

returns 0.

(in reply to: ↑ 1 ; follow-up: ↓ 3 ) 11/15/2007 06:35:08 PM changed by anonymous

Replying to ralf:

dont use strncasecmp() here, because: {{{ strncasecmp ("basicY", "basicX", 5) }}} returns 0.

huh ?

strncmp("basicx", "basicy", 5) returns 0 too :) the only difference between strncmp and strncasecmp is the case-sensitivity also, auth_type_len is not a fixed-size value, it's the first space's position from the authorization header 

if (NULL != (auth_realm = strchr(http_authorization, ' '))) { // Ptr to the first space
   int auth_type_len = auth_realm - http_authorization; // First space's position

if ((auth_type_len == 5) &&
   (0 == strncmp(http_authorization, "Basic", auth_type_len))) {

(in reply to: ↑ 2 ) 11/15/2007 06:38:13 PM changed by ralf

[..]

{{{ if ((auth_type_len == 5) && (0 == strncmp(http_authorization, "Basic", auth_type_len))) { }}}

[..]

sorry, you are right.

i dont scroll up to see that the length is checked, so silently forget my comment ;)

11/23/2007 03:24:17 PM changed by jan

  • status changed from new to closed.
  • version changed from 1.5.x-svn to 1.4.18.
  • resolution set to fixed.
  • milestone changed from 1.5.0 to 1.4.19.

fixed in [2026] for 1.4.x

Add/Change #1456 (http authorization header case problem)




Change Properties
Action