Bug #1456

http authorization header case problem

Added by Anonymous almost 7 years ago. Updated almost 7 years ago.

Status:FixedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:mod_auth
Target version:1.4.19
Missing in 1.5.x:

Description

Hi, I noticed that lighttpd doesn't use case-sensitive comparaisons for the "Basic" and "Digest" authtorization method (mod_auth.c:251 and mod_auth.c:257)

Fix: replace strncmp to strncasecmp.

For example, PHP sends Authorization: BASIC Zm9vOmJhcg== (and it's not recognized by lighttpd)

-- mickael9

Associated revisions

Revision 2026
Added by jan almost 7 years ago

fixed case-sensitive match of auth-method (fixes #1456)

History

#1 Updated by ralf almost 7 years ago

dont use strncasecmp() here, because:


strncasecmp ("basicY", "basicX", 5)

returns 0.

#2 Updated by Anonymous almost 7 years ago

Replying to ralf:

dont use strncasecmp() here, because:

{{{
strncasecmp ("basicY", "basicX", 5)
}}}

returns 0.

huh ?

strncmp("basicx", "basicy", 5) returns 0 too :)
the only difference between strncmp and strncasecmp is the case-sensitivity
also, auth_type_len is not a fixed-size value, it's the first space's position from the authorization header


if (NULL != (auth_realm = strchr(http_authorization, ' '))) { // Ptr to the first space
   int auth_type_len = auth_realm - http_authorization; // First space's position

if ((auth_type_len == 5) &&
   (0 == strncmp(http_authorization, "Basic", auth_type_len))) {

#3 Updated by ralf almost 7 years ago

..

{{{
if ((auth_type_len 5) &&
(0 strncmp(http_authorization, "Basic", auth_type_len))) {
}}}

..

sorry, you are right.

i dont scroll up to see that the length is checked, so silently forget my comment ;)

#4 Updated by jan almost 7 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

fixed in r2026 for 1.4.x

Also available in: Atom