lighttpd
/
lighttpd1.4
2
0
Fork 0
Code Issues Releases Wiki Activity

[mod_auth] fix Basic auth passwd cache (fixes #3112) 

(thx manfred)

Basic auth passwd cache might fail to match when it should have
matched (false negative) when comparing an uninitialized byte.
That bug "fails closed" and does not use the cache when it could.
This patch allows for proper match in the cache when it should match.

x-ref:
  https://redmine.lighttpd.net/issues/3112
  "mod_auth cache password doesn't match"
personal/stbuehler/tests-path
Glenn Strauss 2021-10-15 15:57:31 -04:00
parent f5b5537ef1
commit b1d1202af8
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/mod_auth.c
View File

@ -63,7 +63,7 @@ http_auth_cache_entry_init (const struct http_auth_require_t * const require, co
*(store pointer to http_auth_require_t, which is persistent
* and will be different for each realm + permissions combo)*/
http_auth_cache_entry * const ae =
malloc(sizeof(http_auth_cache_entry) + ulen + pwlen);
malloc(sizeof(http_auth_cache_entry) + ulen + pwlen+1);
force_assert(ae);
ae->require = require;
ae->ctime = log_monotonic_secs;
@ -74,6 +74,7 @@ http_auth_cache_entry_init (const struct http_auth_require_t * const require, co
ae->pwdigest = ae->username + ulen;
memcpy(ae->username, username, ulen);
memcpy(ae->pwdigest, pw, pwlen);
ae->pwdigest[pwlen] = '\0';
return ae;
}