From: Yann Ylavic Date: Mon, 18 Jan 2021 17:01:53 +0000 (+0000) Subject: mod_auth_digest: Fast validation of the nonce's base64 to fail early if X-Git-Tag: 2.5.0-alpha2-ci-test-only~1046 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=567a10dc479ef52d14fa8e1f2506484542606c6c;p=thirdparty%2Fapache%2Fhttpd.git mod_auth_digest: Fast validation of the nonce's base64 to fail early if the format can't match anyway. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885659 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/changes-entries/auth_digest_nonce.txt b/changes-entries/auth_digest_nonce.txt new file mode 100644 index 00000000000..6a583f6a71f --- /dev/null +++ b/changes-entries/auth_digest_nonce.txt @@ -0,0 +1,3 @@ + *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if + the format can't match anyway. [Yann Ylavic] + diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c index 480f43bf164..c15514b9eac 100644 --- a/modules/aaa/mod_auth_digest.c +++ b/modules/aaa/mod_auth_digest.c @@ -1427,9 +1427,14 @@ static int check_nonce(request_rec *r, digest_header_rec *resp, time_rec nonce_time; char tmp, hash[NONCE_HASH_LEN+1]; - if (strlen(resp->nonce) != NONCE_LEN) { + /* Since the time part of the nonce is a base64 encoding of an + * apr_time_t (8 bytes), it should end with a '=', fail early otherwise. + */ + if (strlen(resp->nonce) != NONCE_LEN + || resp->nonce[NONCE_TIME_LEN - 1] != '=') { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775) - "invalid nonce %s received - length is not %d", + "invalid nonce '%s' received - length is not %d " + "or time encoding is incorrect", resp->nonce, NONCE_LEN); note_digest_auth_failure(r, conf, resp, 1); return HTTP_UNAUTHORIZED;