[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-merchant] branch master updated: fix #7034: URL decode authorizat
|
From: |
gnunet |
|
Subject: |
[taler-merchant] branch master updated: fix #7034: URL decode authorization header token |
|
Date: |
Sat, 20 Nov 2021 23:37:46 +0100 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository merchant.
The following commit(s) were added to refs/heads/master by this push:
new 0f168f2b fix #7034: URL decode authorization header token
0f168f2b is described below
commit 0f168f2beb607cbe681f1b37be5d92585fa7922b
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Sat Nov 20 23:37:44 2021 +0100
fix #7034: URL decode authorization header token
---
src/backend/taler-merchant-httpd.c | 10 ++++++++--
src/lib/merchant_api_post_instance_auth.c | 19 ++++++++++++++++++-
src/lib/merchant_api_post_instances.c | 8 +++++++-
3 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/src/backend/taler-merchant-httpd.c
b/src/backend/taler-merchant-httpd.c
index 73d3327f..727a982e 100644
--- a/src/backend/taler-merchant-httpd.c
+++ b/src/backend/taler-merchant-httpd.c
@@ -154,22 +154,28 @@ TMH_check_auth (const char *token,
const struct GNUNET_HashCode *hash)
{
struct GNUNET_HashCode val;
+ char *dec;
+ size_t dec_len;
if (GNUNET_is_zero (hash))
return GNUNET_OK;
if (NULL == token)
return GNUNET_SYSERR;
+ dec_len = GNUNET_STRINGS_urldecode (token,
+ strlen (token),
+ &dec);
GNUNET_assert (GNUNET_YES ==
GNUNET_CRYPTO_kdf (&val,
sizeof (val),
salt,
sizeof (*salt),
- token,
- strlen (token),
+ dec,
+ dec_len,
"merchant-instance-auth",
strlen ("merchant-instance-auth"),
NULL,
0));
+ GNUNET_free (dec);
return (0 == GNUNET_memcmp (&val,
hash))
? GNUNET_OK
diff --git a/src/lib/merchant_api_post_instance_auth.c
b/src/lib/merchant_api_post_instance_auth.c
index 382e9c42..e2936c5c 100644
--- a/src/lib/merchant_api_post_instance_auth.c
+++ b/src/lib/merchant_api_post_instance_auth.c
@@ -174,11 +174,28 @@ TALER_MERCHANT_instance_auth_post (
}
else
{
+ char *enc;
+
+ if (0 != strncasecmp (RFC_8959_PREFIX,
+ auth_token,
+ strlen (RFC_8959_PREFIX)))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Authentication token must start with `%s'\n",
+ RFC_8959_PREFIX);
+ GNUNET_free (iaph->url);
+ GNUNET_free (iaph);
+ return NULL;
+ }
+ (void) GNUNET_STRINGS_urlencode (auth_token,
+ strlen (auth_token),
+ &enc);
req_obj = GNUNET_JSON_PACK (
GNUNET_JSON_pack_string ("method",
"token"),
GNUNET_JSON_pack_string ("token",
- auth_token));
+ enc));
+ GNUNET_free (enc);
}
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
"Requesting URL '%s'\n",
diff --git a/src/lib/merchant_api_post_instances.c
b/src/lib/merchant_api_post_instances.c
index 0fa7063f..19104aa5 100644
--- a/src/lib/merchant_api_post_instances.c
+++ b/src/lib/merchant_api_post_instances.c
@@ -182,6 +182,8 @@ TALER_MERCHANT_instances_post (
if (NULL != auth_token)
{
+ char *enc;
+
if (0 != strncasecmp (RFC_8959_PREFIX,
auth_token,
strlen (RFC_8959_PREFIX)))
@@ -191,11 +193,15 @@ TALER_MERCHANT_instances_post (
RFC_8959_PREFIX);
return NULL;
}
+ (void) GNUNET_STRINGS_urlencode (auth_token,
+ strlen (auth_token),
+ &enc);
auth_obj = GNUNET_JSON_PACK (
GNUNET_JSON_pack_string ("method",
"token"),
GNUNET_JSON_pack_string ("token",
- auth_token));
+ enc));
+ GNUNET_free (enc);
}
else
{
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-merchant] branch master updated: fix #7034: URL decode authorization header token,
gnunet <=