[libmicrohttpd] 05/05: gen_auth: do not allow semicolon for diget auth u

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[libmicrohttpd] 05/05: gen_auth: do not allow semicolon for diget auth u

From:	gnunet
Subject:	[libmicrohttpd] 05/05: gen_auth: do not allow semicolon for diget auth unless it is in a quoted string
Date:	Sun, 05 Jun 2022 12:08:03 +0200

This is an automated email from the git hooks/post-receive script.

karlson2k pushed a commit to branch master
in repository libmicrohttpd.

commit dbb1222de7d57f5aad9d1c78bb8305d388551040
Author: Evgeny Grin (Karlson2k) <k2k@narod.ru>
AuthorDate: Sun Jun 5 12:26:00 2022 +0300

    gen_auth: do not allow semicolon for diget auth unless it is in a quoted 
string
    
    Also forbid binary zero
---
 src/microhttpd/gen_auth.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/microhttpd/gen_auth.c b/src/microhttpd/gen_auth.c
index 2cab478b..e13d5578 100644
--- a/src/microhttpd/gen_auth.c
+++ b/src/microhttpd/gen_auth.c
@@ -187,7 +187,8 @@ parse_dauth_params (const char *str,
             ('=' == str[i + aparam->tk_name->len]) ||
             (' ' == str[i + aparam->tk_name->len]) ||
             ('\t' == str[i + aparam->tk_name->len]) ||
-            (',' == str[i + aparam->tk_name->len])) )
+            (',' == str[i + aparam->tk_name->len]) ||
+            (';' == str[i + aparam->tk_name->len])) )
       {
         size_t value_start;
         size_t value_len;
@@ -236,6 +237,8 @@ parse_dauth_params (const char *str,
           {
             if (0 == str[i])
               return false;  /* Binary zero in parameter value */
+            if (';' == str[i])
+              return false;  /* Semicolon in parameter value */
             i++;
           }
           value_len = i - value_start;
@@ -263,13 +266,17 @@ parse_dauth_params (const char *str,
       /* No matching parameter name */
       while (str_len > i && ',' != str[i])
       {
+        if ((0 == str[i]) || (';' == str[i]))
+          return false; /* Not allowed characters */
         if ('"' == str[i])
         { /* Skip quoted part */
           i++; /* Advance after the opening quote */
           while (str_len > i && '"' != str[i])
           {
+            if (0 == str[i])
+              return false;  /* Binary zero is not allowed */
             if ('\\' == str[i])
-              i++; /* Skip escaped char */
+              i++;           /* Skip escaped char */
             i++;
           }
           if (str_len <= i)

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.

[Prev in Thread]

Current Thread

[Next in Thread]

[libmicrohttpd] branch master updated (4520ac2d -> dbb1222d), gnunet, 2022/06/05
- [libmicrohttpd] 01/05: gen_auth: treat empty header as invalid, gnunet, 2022/06/05
- [libmicrohttpd] 03/05: gen_auth: added detection of incorrect delimiters in token68, gnunet, 2022/06/05
- [libmicrohttpd] 02/05: gen_auth: detect invalid Digest parameters without value the end of the string, gnunet, 2022/06/05
- [libmicrohttpd] 04/05: gen_auth: do not allow the equal sign alone for digest auth, gnunet, 2022/06/05
- [libmicrohttpd] 05/05: gen_auth: do not allow semicolon for diget auth unless it is in a quoted string, gnunet <=

Prev by Date: [libmicrohttpd] 04/05: gen_auth: do not allow the equal sign alone for digest auth
Next by Date: [taler-docs] branch master updated: -unify API
Previous by thread: [libmicrohttpd] 04/05: gen_auth: do not allow the equal sign alone for digest auth
Next by thread: [taler-docs] branch master updated: -unify API
Index(es):
- Date
- Thread