Bug #3023
closedSegfault with mod_auth & htpasswd (lighttpd.conf misconfig)
Description
Problem¶
Lighttpd segfaults when a user submits an HTTP query with an http authentication username + password.
Reproduction setup¶
mkdir bugtest
cd bugtest
# Username is "david", password is "magic"
echo 'david:$apr1$B3hXj5Tz$y8Wa4vd4q3W8tvLp2fOte0' > htpasswd
# Config to ask for http auth on all pages.
printf 'server.modules = ( "mod_expire", "mod_auth", "mod_cgi" )
server.port = 8080
server.document-root = var.CWD + "/public_html"
index-file.names = ( "index.html" )
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = var.CWD + "/htpasswd"
mimetype.assign = (
".html" => "text/html"
)
auth.require = ( "" => ("method" => "digest", "realm" => "bla", "require" => "valid-user") )
' > lighttpd.conf
mkdir public_html
echo 'Moo, if you can see this then the bug is not triggering' > public_html/index.html
lighttpd -f lighttpd.conf -D
Now point your browser at http://localhost:8080/ and try any combination of username and password when challenged. Lighttpd will segfault.
Misc info¶
$ lighttpd -v
lighttpd/1.4.55 (ssl) - a light and fast webserver
$ uname -a
Linux 5.7.9_1 #1 SMP Thu Jul 16 10:02:50 UTC 2020 x86_64 GNU/Linux
$ # Distro: void linux
Updated by veyrdite over 4 years ago
server.modules = ( "mod_auth" ) is enough to trigger this bug, you don't need the others.
I used the auth.require = ( "" => ...) syntax because my intended application uses it inside a $HTTP["url"] =~ ... { } block.
Updated by veyrdite over 4 years ago
Update 2: doh, this line is at fault:
auth.require = ( "" => ("method" => "digest", "realm" => "bla", "require" => "valid-user") )
it should be:
auth.require = ( "" => ("method" => "basic", "realm" => "bla", "require" => "valid-user") )
that fixes the problem.
Updated by gstrauss over 4 years ago
- Target version changed from 1.4.x to 1.4.56
Thank you very much for your detailed bug report, including steps to reproduce.
As you found, the crash is triggered by a server-side misconfiguration in lighttpd.conf, under the control of the admin.
Still, lighttpd should detect this misconfiguration instead of crashing, so I'll put together a patch to address it.
Updated by gstrauss over 4 years ago
- Subject changed from Segfault with mod_auth & htpasswd to Segfault with mod_auth & htpasswd (lighttpd.conf misconfig)
- Status changed from New to Patch Pending
--- a/src/mod_auth.c +++ b/src/mod_auth.c @@ -738,8 +738,15 @@ static handler_t mod_auth_check_basic(request_st * const r, void *p_d, const str char *pw; handler_t rc = HANDLER_UNSET; - if (NULL == backend) { - log_error(r->conf.errh, __FILE__, __LINE__, "auth.backend not configured for %s", r->uri.path.ptr); + if (NULL == backend || NULL == backend->basic) { + if (NULL == backend) + log_error(r->conf.errh, __FILE__, __LINE__, + "auth.backend not configured for %s", r->uri.path.ptr); + else + log_error(r->conf.errh, __FILE__, __LINE__, + "auth.require \"method\" => \"basic\" invalid " + "(try \"digest\"?) for %s", + r->uri.path.ptr); r->http_status = 500; r->handler_module = NULL; return HANDLER_FINISHED; @@ -1208,9 +1215,15 @@ static handler_t mod_auth_check_digest(request_st * const r, void *p_d, const st dkv[7].ptr = &nc; dkv[8].ptr = &respons; - if (NULL == backend) { - log_error(r->conf.errh, __FILE__, __LINE__, - "auth.backend not configured for %s", r->uri.path.ptr); + if (NULL == backend || NULL == backend->digest) { + if (NULL == backend) + log_error(r->conf.errh, __FILE__, __LINE__, + "auth.backend not configured for %s", r->uri.path.ptr); + else + log_error(r->conf.errh, __FILE__, __LINE__, + "auth.require \"method\" => \"digest\" invalid " + "(try \"basic\"?) for %s", + r->uri.path.ptr); r->http_status = 500; r->handler_module = NULL; return HANDLER_FINISHED;
Updated by veyrdite over 4 years ago
Excellent, thankyou gstrauss. That's probably the politest reply I've ever had for a bug report.
Updated by gstrauss about 4 years ago
- Status changed from Patch Pending to Fixed
Applied in changeset cf0098eac8a12a8dfd700285a659af4639788a91.
Also available in: Atom