[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libmicrohttpd] 05/05: gen_auth: do not allow semicolon for diget auth u
From: |
gnunet |
Subject: |
[libmicrohttpd] 05/05: gen_auth: do not allow semicolon for diget auth unless it is in a quoted string |
Date: |
Sun, 05 Jun 2022 12:08:03 +0200 |
This is an automated email from the git hooks/post-receive script.
karlson2k pushed a commit to branch master
in repository libmicrohttpd.
commit dbb1222de7d57f5aad9d1c78bb8305d388551040
Author: Evgeny Grin (Karlson2k) <k2k@narod.ru>
AuthorDate: Sun Jun 5 12:26:00 2022 +0300
gen_auth: do not allow semicolon for diget auth unless it is in a quoted
string
Also forbid binary zero
---
src/microhttpd/gen_auth.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/microhttpd/gen_auth.c b/src/microhttpd/gen_auth.c
index 2cab478b..e13d5578 100644
--- a/src/microhttpd/gen_auth.c
+++ b/src/microhttpd/gen_auth.c
@@ -187,7 +187,8 @@ parse_dauth_params (const char *str,
('=' == str[i + aparam->tk_name->len]) ||
(' ' == str[i + aparam->tk_name->len]) ||
('\t' == str[i + aparam->tk_name->len]) ||
- (',' == str[i + aparam->tk_name->len])) )
+ (',' == str[i + aparam->tk_name->len]) ||
+ (';' == str[i + aparam->tk_name->len])) )
{
size_t value_start;
size_t value_len;
@@ -236,6 +237,8 @@ parse_dauth_params (const char *str,
{
if (0 == str[i])
return false; /* Binary zero in parameter value */
+ if (';' == str[i])
+ return false; /* Semicolon in parameter value */
i++;
}
value_len = i - value_start;
@@ -263,13 +266,17 @@ parse_dauth_params (const char *str,
/* No matching parameter name */
while (str_len > i && ',' != str[i])
{
+ if ((0 == str[i]) || (';' == str[i]))
+ return false; /* Not allowed characters */
if ('"' == str[i])
{ /* Skip quoted part */
i++; /* Advance after the opening quote */
while (str_len > i && '"' != str[i])
{
+ if (0 == str[i])
+ return false; /* Binary zero is not allowed */
if ('\\' == str[i])
- i++; /* Skip escaped char */
+ i++; /* Skip escaped char */
i++;
}
if (str_len <= i)
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.