Project

General

Profile

Bug #3023

open

Segfault with mod_auth & htpasswd (lighttpd.conf misconfig)

Added by veyrdite about 1 month ago. Updated about 1 month ago.

Status:
Patch Pending
Priority:
Normal
Category:
mod_auth
Target version:
ASK QUESTIONS IN Forums:
No

Description

Problem

Lighttpd segfaults when a user submits an HTTP query with an http authentication username + password.

Reproduction setup

mkdir bugtest
cd bugtest

# Username is "david", password is "magic" 
echo 'david:$apr1$B3hXj5Tz$y8Wa4vd4q3W8tvLp2fOte0' > htpasswd

# Config to ask for http auth on all pages.  
printf 'server.modules = ( "mod_expire", "mod_auth", "mod_cgi" )

server.port                    = 8080
server.document-root           = var.CWD + "/public_html" 
index-file.names               = ( "index.html" )
auth.backend                   = "htpasswd" 
auth.backend.htpasswd.userfile = var.CWD + "/htpasswd" 

mimetype.assign = ( 
        ".html" => "text/html" 
)
auth.require = ( "" => ("method" => "digest", "realm" => "bla", "require" => "valid-user") )
' > lighttpd.conf

mkdir public_html
echo 'Moo, if you can see this then the bug is not triggering' > public_html/index.html

lighttpd -f lighttpd.conf -D

Now point your browser at http://localhost:8080/ and try any combination of username and password when challenged. Lighttpd will segfault.

Misc info

$ lighttpd -v
lighttpd/1.4.55 (ssl) - a light and fast webserver
$ uname -a
Linux 5.7.9_1 #1 SMP Thu Jul 16 10:02:50 UTC 2020 x86_64 GNU/Linux
$ # Distro: void linux
#1

Updated by veyrdite about 1 month ago

server.modules = ( "mod_auth" ) is enough to trigger this bug, you don't need the others.

I used the auth.require = ( "" => ...) syntax because my intended application uses it inside a $HTTP["url"] =~ ... { } block.

#2

Updated by veyrdite about 1 month ago

Update 2: doh, this line is at fault:

auth.require = ( "" => ("method" => "digest", "realm" => "bla", "require" => "valid-user") )

it should be:

auth.require = ( "" => ("method" => "basic", "realm" => "bla", "require" => "valid-user") )

that fixes the problem.

#3

Updated by gstrauss about 1 month ago

  • Target version changed from 1.4.x to 1.4.56

Thank you very much for your detailed bug report, including steps to reproduce.

As you found, the crash is triggered by a server-side misconfiguration in lighttpd.conf, under the control of the admin.

Still, lighttpd should detect this misconfiguration instead of crashing, so I'll put together a patch to address it.

#4

Updated by gstrauss about 1 month ago

  • Subject changed from Segfault with mod_auth & htpasswd to Segfault with mod_auth & htpasswd (lighttpd.conf misconfig)
  • Status changed from New to Patch Pending
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@@ -738,8 +738,15 @@ static handler_t mod_auth_check_basic(request_st * const r, void *p_d, const str
        char *pw;
        handler_t rc = HANDLER_UNSET;

-       if (NULL == backend) {
-               log_error(r->conf.errh, __FILE__, __LINE__, "auth.backend not configured for %s", r->uri.path.ptr);
+       if (NULL == backend || NULL == backend->basic) {
+               if (NULL == backend)
+                       log_error(r->conf.errh, __FILE__, __LINE__,
+                         "auth.backend not configured for %s", r->uri.path.ptr);
+               else
+                       log_error(r->conf.errh, __FILE__, __LINE__,
+                         "auth.require \"method\" => \"basic\" invalid " 
+                         "(try \"digest\"?) for %s",
+                         r->uri.path.ptr);
                r->http_status = 500;
                r->handler_module = NULL;
                return HANDLER_FINISHED;
@@ -1208,9 +1215,15 @@ static handler_t mod_auth_check_digest(request_st * const r, void *p_d, const st
        dkv[7].ptr = &nc;
        dkv[8].ptr = &respons;

-       if (NULL == backend) {
-               log_error(r->conf.errh, __FILE__, __LINE__,
-                 "auth.backend not configured for %s", r->uri.path.ptr);
+       if (NULL == backend || NULL == backend->digest) {
+               if (NULL == backend)
+                       log_error(r->conf.errh, __FILE__, __LINE__,
+                         "auth.backend not configured for %s", r->uri.path.ptr);
+               else
+                       log_error(r->conf.errh, __FILE__, __LINE__,
+                         "auth.require \"method\" => \"digest\" invalid " 
+                         "(try \"basic\"?) for %s",
+                         r->uri.path.ptr);
                r->http_status = 500;
                r->handler_module = NULL;
                return HANDLER_FINISHED;
#5

Updated by veyrdite about 1 month ago

Excellent, thankyou gstrauss. That's probably the politest reply I've ever had for a bug report.

Also available in: Atom