Project

General

Profile

Actions

Bug #1456

closed

http authorization header case problem

Added by Anonymous over 16 years ago. Updated over 16 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_auth
Target version:
ASK QUESTIONS IN Forums:

Description

Hi, I noticed that lighttpd doesn't use case-sensitive comparaisons for the "Basic" and "Digest" authtorization method (mod_auth.c:251 and mod_auth.c:257)

Fix: replace strncmp to strncasecmp.

For example, PHP sends Authorization: BASIC Zm9vOmJhcg== (and it's not recognized by lighttpd)

-- mickael9

Actions #1

Updated by ralf over 16 years ago

dont use strncasecmp() here, because:


strncasecmp ("basicY", "basicX", 5)

returns 0.

Actions #2

Updated by Anonymous over 16 years ago

Replying to ralf:

dont use strncasecmp() here, because:

{{{
strncasecmp ("basicY", "basicX", 5)
}}}

returns 0.

huh ?

strncmp("basicx", "basicy", 5) returns 0 too :)
the only difference between strncmp and strncasecmp is the case-sensitivity
also, auth_type_len is not a fixed-size value, it's the first space's position from the authorization header


if (NULL != (auth_realm = strchr(http_authorization, ' '))) { // Ptr to the first space
   int auth_type_len = auth_realm - http_authorization; // First space's position

if ((auth_type_len == 5) &&
   (0 == strncmp(http_authorization, "Basic", auth_type_len))) {
Actions #3

Updated by ralf over 16 years ago

..

{{{
if ((auth_type_len 5) &&
(0 strncmp(http_authorization, "Basic", auth_type_len))) {
}}}

..

sorry, you are right.

i dont scroll up to see that the length is checked, so silently forget my comment ;)

Actions #4

Updated by jan over 16 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

fixed in r2026 for 1.4.x

Actions

Also available in: Atom