diff options
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | src/http_auth.c | 3 |
2 files changed, 3 insertions, 1 deletions
@@ -173,6 +173,7 @@ NEWS * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362) * buffer_caseless_compare: always convert letters to lowercase to get transitive results, fixing array lookups (fixes #2405) * fix :port handling in $HTTP["host"] checks (fixes #2135. thx liming) + * fix memleak in mod_auth (fixes #2457, thx brarcher) - 1.5.0-r19.. - * -F option added for spawn-fcgi diff --git a/src/http_auth.c b/src/http_auth.c index 2d6180e2..357f4a1b 100644 --- a/src/http_auth.c +++ b/src/http_auth.c @@ -894,7 +894,6 @@ int http_auth_basic_check(server *srv, connection *con, mod_auth_plugin_data *p, realm = (data_string *)array_get_element(req, CONST_STR_LEN("realm")); username = buffer_init(); - password = buffer_init(); if (!base64_decode(username, realm_str)) { log_error_write(srv, __FILE__, __LINE__, "sb", "decodeing base64-string failed", username); @@ -915,6 +914,8 @@ int http_auth_basic_check(server *srv, connection *con, mod_auth_plugin_data *p, username->used = pw - username->ptr; + password = buffer_init(); + /* copy password to r1 */ if (http_auth_get_password(srv, p, username, realm->value, password)) { buffer_free(username); |