[PATCH] httpd: fix username verification with md5 auth

Thu Jun 12 12:43:59 PDT 2008

From: Peter Korsgaard <jacmet at sunsite.dk>

checkPerm only verified as many characters of the username as provided
by the client, so E.G. an empty username would always match.

Cleanup and save a few bytes while we are at it:

function                                             old     new   delta
checkPerm                                            359     350      -9
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 0/1 up/down: 0/-9)               Total: -9 bytes

Based on (incorrect) patch by Lubos Stanek (lubek) sent to the openwrt list:
http://thread.gmane.org/gmane.comp.embedded.openwrt.devel/1464

Signed-off-by: Peter Korsgaard <jacmet at sunsite.dk>
---
 networking/httpd.c |   28 +++++++++++++---------------
 1 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/networking/httpd.c b/networking/httpd.c
index 352a97d..db04cde 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -1710,29 +1710,27 @@ static int checkPerm(const char *path, const char *request)
 		if (strncmp(p0, path, l) == 0
 		 && (l == 1 || path[l] == '/' || path[l] == '\0')
 		) {
-			char *u;
 			/* path match found.  Check request */
 			/* for check next /path:user:password */
 			prev = p0;
-			u = strchr(request, ':');
-			if (u == NULL) {
-				/* bad request, ':' required */
-				break;
-			}
 
 			if (ENABLE_FEATURE_HTTPD_AUTH_MD5) {
 				char *pp;
 
-				if (strncmp(p, request, u - request) != 0) {
-					/* user doesn't match */
-					continue;
-				}
 				pp = strchr(p, ':');
 				if (pp && pp[1] == '$' && pp[2] == '1'
-				 && pp[3] == '$' && pp[4]
-				) {
-					char *encrypted = pw_encrypt(u+1, ++pp, 1);
-					int r = strcmp(encrypted, pp);
+				 && pp[3] == '$' && pp[4]) {
+					char *encrypted;
+					int r, len;
+
+					len = 1 + pp - p;
+					if (strncmp(p, request, len) != 0) {
+						/* user doesn't match */
+						continue;
+					}
+
+					encrypted = pw_encrypt(request+len, p+len, 1);
+					r = strcmp(encrypted, p+len);
 					free(encrypted);
 					if (r == 0)
 						goto set_remoteuser_var;   /* Ok */
@@ -1743,7 +1741,7 @@ static int checkPerm(const char *path, const char *request)
 
 			if (strcmp(p, request) == 0) {
  set_remoteuser_var:
-				remoteuser = xstrndup(request, u - request);
+				remoteuser = xstrndup(request, strchr(request, ':') - request);
 				return 1;   /* Ok */
 			}
 			/* unauthorized */
-- 
1.5.5.1

