diff options
| author | Evgeny Grin (Karlson2k) <k2k@narod.ru> | 2016-04-12 14:36:14 +0000 |
|---|---|---|
| committer | Evgeny Grin (Karlson2k) <k2k@narod.ru> | 2016-04-12 14:36:14 +0000 |
| commit | 8632cd8c4bb87b5f120d2a518f9ad4807b83c93c (patch) | |
| tree | d1d30cc9d6d7d253cb11176a811ee609b6693bb9 | |
| parent | 095d09c986c895f197d32a8aef67f9f42efcdebe (diff) | |
| download | libmicrohttpd-8632cd8c4bb87b5f120d2a518f9ad4807b83c93c.tar.gz libmicrohttpd-8632cd8c4bb87b5f120d2a518f9ad4807b83c93c.zip | |
MHD_digest_auth_check(): decode timestamp value by internal function, added error checking,
added buffer overrun checking.
digest auth now should be more secure
| -rw-r--r-- | src/microhttpd/digestauth.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c index f461abd4..ea7bc1c7 100644 --- a/src/microhttpd/digestauth.c +++ b/src/microhttpd/digestauth.c | |||
| @@ -619,7 +619,15 @@ MHD_digest_auth_check (struct MHD_Connection *connection, | |||
| 619 | header value. */ | 619 | header value. */ |
| 620 | return MHD_NO; | 620 | return MHD_NO; |
| 621 | } | 621 | } |
| 622 | nonce_time = strtoul (nonce + len - TIMESTAMP_HEX_LEN, (char **)NULL, 16); | 622 | if (TIMESTAMP_HEX_LEN != MHD_strx_to_uint32_n_ (nonce + len - TIMESTAMP_HEX_LEN, |
| 623 | TIMESTAMP_HEX_LEN, &nonce_time)) | ||
| 624 | { | ||
| 625 | #ifdef HAVE_MESSAGES | ||
| 626 | MHD_DLOG (connection->daemon, | ||
| 627 | "Authentication failed, invalid timestamp format.\n"); | ||
| 628 | #endif | ||
| 629 | return MHD_NO; | ||
| 630 | } | ||
| 623 | t = (uint32_t) MHD_monotonic_sec_counter(); | 631 | t = (uint32_t) MHD_monotonic_sec_counter(); |
| 624 | /* | 632 | /* |
| 625 | * First level vetting for the nonce validity: if the timestamp | 633 | * First level vetting for the nonce validity: if the timestamp |