[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libmicrohttpd] 02/05: gen_auth: detect invalid Digest parameters withou
From: |
gnunet |
Subject: |
[libmicrohttpd] 02/05: gen_auth: detect invalid Digest parameters without value the end of the string |
Date: |
Sun, 05 Jun 2022 12:08:00 +0200 |
This is an automated email from the git hooks/post-receive script.
karlson2k pushed a commit to branch master
in repository libmicrohttpd.
commit 6dea1cf68e7b12d6348e37cbe27469c7f6b2ce8e
Author: Evgeny Grin (Karlson2k) <k2k@narod.ru>
AuthorDate: Fri Jun 3 16:01:30 2022 +0300
gen_auth: detect invalid Digest parameters without value the end of the
string
---
src/microhttpd/gen_auth.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/microhttpd/gen_auth.c b/src/microhttpd/gen_auth.c
index b0a8f295..47dbf35f 100644
--- a/src/microhttpd/gen_auth.c
+++ b/src/microhttpd/gen_auth.c
@@ -176,17 +176,22 @@ parse_dauth_params (const char *str,
for (p = 0; p < sizeof(map) / sizeof(map[0]); p++)
{
struct dauth_token_param *const aparam = map + p;
- if ( (aparam->tk_name->len < left) &&
+ if ( (aparam->tk_name->len <= left) &&
MHD_str_equal_caseless_bin_n_ (str + i, aparam->tk_name->str,
aparam->tk_name->len) &&
- (('=' == str[i + aparam->tk_name->len]) ||
+ ((aparam->tk_name->len == left) ||
+ ('=' == str[i + aparam->tk_name->len]) ||
(' ' == str[i + aparam->tk_name->len]) ||
- ('\t' == str[i + aparam->tk_name->len])) )
+ ('\t' == str[i + aparam->tk_name->len]) ||
+ (',' == str[i + aparam->tk_name->len])) )
{
size_t value_start;
size_t value_len;
bool quoted; /* Only mark as "quoted" if backslash-escape used */
+ if (aparam->tk_name->len == left)
+ return false; /* No equal sign after parameter name, broken data */
+
quoted = false;
i += aparam->tk_name->len;
/* Skip all whitespaces before '=' */
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.