Author: ylavic
Date: Mon Jan 18 17:39:12 2021
New Revision: 1885666
URL: http://svn.apache.org/viewvc?rev=1885666&view=rev
Log:
Merge r1885659 from trunk:
mod_auth_digest: Fast validation of the nonce's base64 to fail early if
the format can't match anyway.
Submitted by: ylavic
Reviewed by: ylavic, covener, jailletc36
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/modules/aaa/mod_auth_digest.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1885659
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1885666&r1=1885665&r2=1885666&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Jan 18 17:39:12 2021
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.47
+ *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
+ the format can't match anyway. [Yann Ylavic]
+
*) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
Transfer-Encoding from the client, spooling the request body when needed
to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
Modified: httpd/httpd/branches/2.4.x/modules/aaa/mod_auth_digest.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/aaa/mod_auth_digest.c?rev=1885666&r1=1885665&r2=1885666&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/aaa/mod_auth_digest.c (original)
+++ httpd/httpd/branches/2.4.x/modules/aaa/mod_auth_digest.c Mon Jan 18 17:39:12 2021
@@ -1426,9 +1426,14 @@ static int check_nonce(request_rec *r, d
time_rec nonce_time;
char tmp, hash[NONCE_HASH_LEN+1];
- if (strlen(resp->nonce) != NONCE_LEN) {
+ /* Since the time part of the nonce is a base64 encoding of an
+ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
+ */
+ if (strlen(resp->nonce) != NONCE_LEN
+ || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
- "invalid nonce %s received - length is not %d",
+ "invalid nonce '%s' received - length is not %d "
+ "or time encoding is incorrect",
resp->nonce, NONCE_LEN);
note_digest_auth_failure(r, conf, resp, 1);
return HTTP_UNAUTHORIZED;
Date: Mon Jan 18 17:39:12 2021
New Revision: 1885666
URL: http://svn.apache.org/viewvc?rev=1885666&view=rev
Log:
Merge r1885659 from trunk:
mod_auth_digest: Fast validation of the nonce's base64 to fail early if
the format can't match anyway.
Submitted by: ylavic
Reviewed by: ylavic, covener, jailletc36
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/modules/aaa/mod_auth_digest.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1885659
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1885666&r1=1885665&r2=1885666&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Jan 18 17:39:12 2021
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.47
+ *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
+ the format can't match anyway. [Yann Ylavic]
+
*) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
Transfer-Encoding from the client, spooling the request body when needed
to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
Modified: httpd/httpd/branches/2.4.x/modules/aaa/mod_auth_digest.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/aaa/mod_auth_digest.c?rev=1885666&r1=1885665&r2=1885666&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/aaa/mod_auth_digest.c (original)
+++ httpd/httpd/branches/2.4.x/modules/aaa/mod_auth_digest.c Mon Jan 18 17:39:12 2021
@@ -1426,9 +1426,14 @@ static int check_nonce(request_rec *r, d
time_rec nonce_time;
char tmp, hash[NONCE_HASH_LEN+1];
- if (strlen(resp->nonce) != NONCE_LEN) {
+ /* Since the time part of the nonce is a base64 encoding of an
+ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
+ */
+ if (strlen(resp->nonce) != NONCE_LEN
+ || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
- "invalid nonce %s received - length is not %d",
+ "invalid nonce '%s' received - length is not %d "
+ "or time encoding is incorrect",
resp->nonce, NONCE_LEN);
note_digest_auth_failure(r, conf, resp, 1);
return HTTP_UNAUTHORIZED;