You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by ja...@apache.org on 2017/12/04 21:54:58 UTC

svn commit: r1817131 - in /httpd/httpd/trunk: CHANGES modules/aaa/mod_auth_basic.c

Author: jailletc36
Date: Mon Dec  4 21:54:58 2017
New Revision: 1817131

URL: http://svn.apache.org/viewvc?rev=1817131&view=rev
Log:
Be less tolerant when parsing the credencial for Basic authorization. Only spaces  should be accepted after the authorization scheme. \t are also tolerated.

The current code accepts \v and \f as well.

The same behavior is already used in 'ap_get_basic_auth_pw()' which is mostly the same function as 'get_basic_auth()'.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/aaa/mod_auth_basic.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1817131&r1=1817130&r2=1817131&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Dec  4 21:54:58 2017
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
+     should be accepted after the authorization scheme. \t are also tolerated.
+     [Christophe Jaillet]
+  
   *) mod_http2: fixed unfair scheduling when number of active connections
      exceeded the scheduling fifo capacity. [Stefan Eissing]
 

Modified: httpd/httpd/trunk/modules/aaa/mod_auth_basic.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_auth_basic.c?rev=1817131&r1=1817130&r2=1817131&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_auth_basic.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_auth_basic.c Mon Dec  4 21:54:58 2017
@@ -270,7 +270,7 @@ static int get_basic_auth(request_rec *r
     }
 
     /* Skip leading spaces. */
-    while (apr_isspace(*auth_line)) {
+    while (*auth_line == ' ' || *auth_line == '\t') {
         auth_line++;
     }