search

ufairiya / mongoose

Automatically exported from code.google.com/p/mongoose
MIT License
0 stars 0 forks source link

commas in the uri cause server crash #110

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. launch mongoose with auth enabled
2. enter a url with commas such as http://127.0.0.1:8080/test.html?a=123,456
3.

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?
2.8 on linux

Please provide any additional information below.
parse_auth_header calls skip(.. ", ") which treats this particular comma as
a delimiter, so the string is improperly parsed:

Digest username=\"test\", realm=\"TEST\", nonce=\"1262637232\",
uri=\"/test.html?a=123,456", response=\"06e826bfca998239ef7eabf106e250c6\",
qop=auth, nc=0000003b, cnonce=\"e012a11313a6c34e\"

Original issue reported on code.google.com by crazygeo...@gmail.com on 4 Jan 2010 at 9:08

GoogleCodeExporter commented 9 years ago 
... this is only with auth on.

Original comment by crazygeo...@gmail.com on 19 Feb 2010 at 4:26

GoogleCodeExporter commented 9 years ago

Original comment by valenok on 25 Feb 2010 at 1:06

GoogleCodeExporter commented 9 years ago 
I made a quick fix for this. It's caused by the way the server parses the auth
headers, using the commas as delimiters for the name="value" pairs.

1) Replace the skip function with this version:

static char *
skip(char **buf, const char *delimiters, const char *delimitersSkip = NULL)
{
    char    *p, *begin_word, *end_word, *end_delimiters;

    begin_word = *buf;
    end_word = begin_word + strcspn(begin_word, delimiters);
    end_delimiters = end_word + strspn(end_word, delimitersSkip ? delimitersSkip :
delimiters);

    for (p = end_word; p < end_delimiters; p++)
        *p = '\0';

    *buf = end_delimiters;

    return (begin_word);
}

2) In parse_auth_header, replace the first lines of the for loop with these:

/* Parse authorization header */
for (;;) {
    name = skip(&s, "=");
    if (*s == '"') {
        s++;
        value = skip(&s, "\"", "\", ");
    }
    else
    {
        value = skip(&s, ", ");
        if (*value == '"') {
            value++;
            value[strlen(value) - 1] = '\0';
        }
    }

    if (*value == '\0') {
        break;
    }

Original comment by sant...@gmail.com on 16 Apr 2010 at 2:58

GoogleCodeExporter commented 9 years ago 
Submitted http://code.google.com/p/mongoose/source/detail?r=497
Thank you!

Original comment by valenok on 21 Apr 2010 at 12:10