[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] r37033 - libmicrohttpd/src/microhttpd
From: |
gnunet |
Subject: |
[GNUnet-SVN] r37033 - libmicrohttpd/src/microhttpd |
Date: |
Tue, 12 Apr 2016 16:36:16 +0200 |
Author: Karlson2k
Date: 2016-04-12 16:36:16 +0200 (Tue, 12 Apr 2016)
New Revision: 37033
Modified:
libmicrohttpd/src/microhttpd/digestauth.c
Log:
MHD_digest_auth_check(): used internal function to decode nc, fixed incorrect
check
(should be 'ULONG_MAX', not 'LONG_MAX'), new check is more strict.
Function should be more secure now.
Modified: libmicrohttpd/src/microhttpd/digestauth.c
===================================================================
--- libmicrohttpd/src/microhttpd/digestauth.c 2016-04-12 14:36:14 UTC (rev
37032)
+++ libmicrohttpd/src/microhttpd/digestauth.c 2016-04-12 14:36:16 UTC (rev
37033)
@@ -668,7 +668,7 @@
(0 == lookup_sub_value (qop, sizeof (qop), header, "qop")) ||
( (0 != strcmp (qop, "auth")) &&
(0 != strcmp (qop, "")) ) ||
- (0 == lookup_sub_value (nc, sizeof (nc), header, "nc")) ||
+ (0 == (len = lookup_sub_value (nc, sizeof (nc), header, "nc")) ) ||
(0 == lookup_sub_value (response, sizeof (response), header,
"response")) )
{
#ifdef HAVE_MESSAGES
@@ -677,14 +677,11 @@
#endif
return MHD_NO;
}
- nci = strtoul (nc, &end, 16);
- if ( ('\0' != *end) ||
- ( (LONG_MAX == nci) &&
- (ERANGE == errno) ) )
+ if (len != MHD_strx_to_uint64_n_ (nc, len, &nci))
{
#ifdef HAVE_MESSAGES
MHD_DLOG (connection->daemon,
- "Authentication failed, invalid format.\n");
+ "Authentication failed, invalid nc format.\n");
#endif
return MHD_NO; /* invalid nonce format */
}
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] r37033 - libmicrohttpd/src/microhttpd,
gnunet <=