You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2019/01/29 10:15:36 UTC

[Bug 63124] New: race condition in mod_auth_digest

https://bz.apache.org/bugzilla/show_bug.cgi?id=63124

            Bug ID: 63124
           Summary: race condition in mod_auth_digest
           Product: Apache httpd-2
           Version: 2.4.37
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_auth_digest
          Assignee: bugs@httpd.apache.org
          Reporter: simon.kappel@axis.com
  Target Milestone: ---

Created attachment 36400
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36400&action=edit
fix race condition in mod_auth_digest

When there are requests made from multiple different users
on the same host to the same protection space, a race condition occurs
so that the realmhash from another user may sometimes
be used for validation when comparing digest with
expected digest.

I can reproduce this by running two testscripts which repeatedly requests a
resource using different users.

script1:
while 1
curl -u test:test --digest "http://<ip>/cgi/mycgi.cgi"

script2:
while 1
curl -u test2:test2 --digest" http://<ip>/cgi/mycgi.cgi"

Sometimes the digest module will claim that there is a password mismatch
APLOGNO(01792).

Debugging this i found that the realmhash (ha1) used to compare digests was
sometimes from the wrong user.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 63124] race condition in mod_auth_digest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63124

Christophe JAILLET <ch...@wanadoo.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Christophe JAILLET <ch...@wanadoo.fr> ---
backported in r1855298.
This is part à 2.4.39

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 63124] race condition in mod_auth_digest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63124

Simon Kappel <si...@axis.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |simon.kappel@axis.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 63124] race condition in mod_auth_digest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63124

Christophe JAILLET <ch...@wanadoo.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk,
                   |                            |PatchAvailable

--- Comment #2 from Christophe JAILLET <ch...@wanadoo.fr> ---
Hi,

thx for the report, the reproducer and the patch.

I've only slightly changed your patch.
'char **rethash' has been turned into 'const char **rethash' to fix a
compilation warning, at least in maintainer-mode.

This has been fixed in trunk in r1853190 and will be proposed soon for backport
in 2.4.x.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 63124] race condition in mod_auth_digest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63124

--- Comment #1 from Simon Kappel <si...@axis.com> ---
It is my belief that this patch should be merged to trunk.
Please test and review attached patch.
Thanks

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org