Eclipse ThreadX - NetXDuo is an advanced, industrial-grade TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications
Hello,
I try to authenticate to the web server with a valid username and an empty password and the web server accept my entry.
In this situation the code checks the username and skip the password because it reaches the end of authorization_decoded string.
The function is _nx_web_http_server_basic_authenticate and the solution is:
while (name_ptr[i] && (i < authorization_decoded_size))
{
/* Is there a mismatch? */
if (name_ptr[i] != authorization_decoded[i])
{
/* Name mismatch. Continue to avoid timing attack. */
match = NX_FALSE;
}
/* Move to next character. */
i++;
}
/* Determine if everything matches. */
if (match && (authorization_decoded[i++] == ':') && (i < authorization_decoded_size))
{
/* Move the authorization index past the semicolon. */
//i++;
Before was:
while (name_ptr[i] && (i < authorization_decoded_size))
{
/* Is there a mismatch? */
if (name_ptr[i] != authorization_decoded[i])
{
/* Name mismatch. Continue to avoid timing attack. */
match = NX_FALSE;
}
/* Move to next character. */
i++;
}
/* Determine if everything matches. */
if (match && (i < authorization_decoded_size) && (authorization_decoded[i] == ':'))
{
/* Move the authorization index past the semicolon. */
i++;
Hello, I try to authenticate to the web server with a valid username and an empty password and the web server accept my entry. In this situation the code checks the username and skip the password because it reaches the end of
authorization_decoded
string. The function is_nx_web_http_server_basic_authenticate
and the solution is:Before was:
Thanks, Marco