Bug #1456
http authorization header case problem
| Status: | Fixed | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | mod_auth | |||
| Target version: | 1.4.19 | |||
| Missing in 1.5.x: |
Description
Hi, I noticed that lighttpd doesn't use case-sensitive comparaisons for the "Basic" and "Digest" authtorization method (mod_auth.c:251 and mod_auth.c:257)
Fix: replace strncmp to strncasecmp.
For example, PHP sends Authorization: BASIC Zm9vOmJhcg== (and it's not recognized by lighttpd)
-- mickael9
Associated revisions
fixed case-sensitive match of auth-method (fixes #1456)
History
#1 Updated by ralf over 5 years ago
dont use strncasecmp() here, because:
strncasecmp ("basicY", "basicX", 5)
returns 0.
#2 Updated by Anonymous over 5 years ago
Replying to ralf:
dont use strncasecmp() here, because:
{{{
strncasecmp ("basicY", "basicX", 5)
}}}returns 0.
huh ?
strncmp("basicx", "basicy", 5) returns 0 too :)
the only difference between strncmp and strncasecmp is the case-sensitivity
also, auth_type_len is not a fixed-size value, it's the first space's position from the authorization header
if (NULL != (auth_realm = strchr(http_authorization, ' '))) { // Ptr to the first space
int auth_type_len = auth_realm - http_authorization; // First space's position
if ((auth_type_len == 5) &&
(0 == strncmp(http_authorization, "Basic", auth_type_len))) {
#3 Updated by ralf over 5 years ago
#4 Updated by jan over 5 years ago
- Status changed from New to Fixed
- Resolution set to fixed
fixed in r2026 for 1.4.x
Also available in: Atom