Actions
Bug #1456
closedhttp authorization header case problem
ASK QUESTIONS IN Forums:
Description
Hi, I noticed that lighttpd doesn't use case-sensitive comparaisons for the "Basic" and "Digest" authtorization method (mod_auth.c:251 and mod_auth.c:257)
Fix: replace strncmp to strncasecmp.
For example, PHP sends Authorization: BASIC Zm9vOmJhcg== (and it's not recognized by lighttpd)
-- mickael9
Updated by ralf almost 17 years ago
dont use strncasecmp() here, because:
strncasecmp ("basicY", "basicX", 5)
returns 0.
Updated by Anonymous almost 17 years ago
Replying to ralf:
dont use strncasecmp() here, because:
{{{
strncasecmp ("basicY", "basicX", 5)
}}}returns 0.
huh ?
strncmp("basicx", "basicy", 5) returns 0 too :)
the only difference between strncmp and strncasecmp is the case-sensitivity
also, auth_type_len is not a fixed-size value, it's the first space's position from the authorization header
if (NULL != (auth_realm = strchr(http_authorization, ' '))) { // Ptr to the first space int auth_type_len = auth_realm - http_authorization; // First space's position
if ((auth_type_len == 5) && (0 == strncmp(http_authorization, "Basic", auth_type_len))) {
Updated by jan almost 17 years ago
- Status changed from New to Fixed
- Resolution set to fixed
fixed in r2026 for 1.4.x
Actions
Also available in: Atom