diff options
author | Joe Orton <joe@manyfish.uk> | 2020-09-03 21:06:05 +0100 |
---|---|---|
committer | Joe Orton <joe@manyfish.uk> | 2020-09-03 21:06:05 +0100 |
commit | 69c89bcf60e6d1d58c5e3fef1cb260bf0cde59af (patch) | |
tree | 4e8e6cf6eebd248942e3727dbd41266da42dd640 | |
parent | 12af3d767ec8f8b0ebf3fa3a82297b4bb8f6b563 (diff) | |
download | neon-git-69c89bcf60e6d1d58c5e3fef1cb260bf0cde59af.tar.gz |
* src/ne_auth.c (basic_challenge): Reject a Basic challenge if
the username contains a colon.
* test/auth.c (fail_cb, fail_challenge): Test for this failure case.
-rw-r--r-- | src/ne_auth.c | 6 | ||||
-rw-r--r-- | test/auth.c | 13 |
2 files changed, 17 insertions, 2 deletions
diff --git a/src/ne_auth.c b/src/ne_auth.c index af152ae..fb1f103 100644 --- a/src/ne_auth.c +++ b/src/ne_auth.c @@ -435,6 +435,12 @@ static int basic_challenge(auth_session *sess, int attempt, return -1; } + if (strchr(sess->username, ':') != NULL) { + challenge_error(errmsg, _("cannot handle Basic challenge " + "for username containing colon")); + return -1; + } + tmp = ne_concat(sess->username, ":", password, NULL); sess->basic = ne_base64((unsigned char *)tmp, strlen(tmp)); ne_free(tmp); diff --git a/test/auth.c b/test/auth.c index 985d0eb..3b01f8e 100644 --- a/test/auth.c +++ b/test/auth.c @@ -1128,6 +1128,12 @@ static int fail_cb(void *userdata, const char *realm, int tries, ne_buffer *buf = userdata; char str[64]; + if (strcmp(realm, "colonic") == 0 && ne_buffer_size(buf) == 0) { + ne_strnzcpy(un, "user:name", NE_ABUFSIZ); + ne_strnzcpy(pw, "passwerd", NE_ABUFSIZ); + return 0; + } + ne_snprintf(str, sizeof str, "<%s, %d>", realm, tries); ne_buffer_zappend(buf, str); @@ -1142,6 +1148,8 @@ static int fail_challenge(void) /* only possible Basic parse failure. */ { "Basic", "missing realm in Basic challenge" }, + { "Basic realm=\"colonic\"", "username containing colon" }, + /* Digest parameter invalid/omitted failure cases: */ { "Digest algorithm=MD5, qop=auth, nonce=\"foo\"", "missing parameter in Digest challenge" }, @@ -1188,7 +1196,8 @@ static int fail_challenge(void) "Content-Length: 0\r\n" "\r\n", ts[n].resp); - CALL(make_session(&sess, single_serve_string, resp)); + CALL(multi_session_server(&sess, "http", "localhost", + 2, single_serve_string, resp)); ne_set_server_auth(sess, fail_cb, buf); @@ -1208,7 +1217,7 @@ static int fail_challenge(void) ne_session_destroy(sess); ne_buffer_destroy(buf); - CALL(await_server()); + reap_server(); } return OK; |