Bug #2478

invalid memory read in qop=auth-int "handling"

Added by oinkaroonie almost 2 years ago. Updated over 1 year ago.

Status:FixedStart date:2013-02-21
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:-
Target version:1.4.33
Missing in 1.5.x:No

Description

When qop == "auth-int" in an HTTP Digest authorization request, A2 is supposed to include an MD5sum of the message body. Currently, lighttpd computes the MD5 of random memory:

li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN);

This proposed patch correctly computes A2 when qop is "auth-int".

diffs - proposed patch (3.96 KB) oinkaroonie, 2013-02-21 00:53

Associated revisions

Revision 2877
Added by stbuehler over 1 year ago

[mod_auth] fix invalid read in digest qop=auth-int handling (fixes #2478)

History

#1 Updated by darix almost 2 years ago

  • Status changed from New to Need Feedback
  • with how big of bodies did you test that?
  • did you test it with fastcgi?

#2 Updated by stbuehler over 1 year ago

  • Target version set to 1.4.33

The invalid read should be fixed ofc, but parsing the request body is not gonna happen. (async, ...)

Just use https if you want to protect the connection; qop=auth-int won't be supported.

#3 Updated by stbuehler over 1 year ago

  • Subject changed from qop == "auth-int" doesn't compute A2 correctly to invalid memory read in qop=auth-int "handling"

#4 Updated by stbuehler over 1 year ago

  • Status changed from Need Feedback to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2877.

Also available in: Atom