You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ja...@apache.org on 2017/12/04 21:54:58 UTC
svn commit: r1817131 - in /httpd/httpd/trunk: CHANGES
modules/aaa/mod_auth_basic.c
Author: jailletc36
Date: Mon Dec 4 21:54:58 2017
New Revision: 1817131
URL: http://svn.apache.org/viewvc?rev=1817131&view=rev
Log:
Be less tolerant when parsing the credencial for Basic authorization. Only spaces should be accepted after the authorization scheme. \t are also tolerated.
The current code accepts \v and \f as well.
The same behavior is already used in 'ap_get_basic_auth_pw()' which is mostly the same function as 'get_basic_auth()'.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/aaa/mod_auth_basic.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1817131&r1=1817130&r2=1817131&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Dec 4 21:54:58 2017
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
+ should be accepted after the authorization scheme. \t are also tolerated.
+ [Christophe Jaillet]
+
*) mod_http2: fixed unfair scheduling when number of active connections
exceeded the scheduling fifo capacity. [Stefan Eissing]
Modified: httpd/httpd/trunk/modules/aaa/mod_auth_basic.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_auth_basic.c?rev=1817131&r1=1817130&r2=1817131&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_auth_basic.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_auth_basic.c Mon Dec 4 21:54:58 2017
@@ -270,7 +270,7 @@ static int get_basic_auth(request_rec *r
}
/* Skip leading spaces. */
- while (apr_isspace(*auth_line)) {
+ while (*auth_line == ' ' || *auth_line == '\t') {
auth_line++;
}