From: Peter Korsgaard <[EMAIL PROTECTED]> checkPerm only verified as many characters of the username as provided by the client, so E.G. an empty username would always match.
Cleanup and save a few bytes while we are at it: function old new delta checkPerm 359 350 -9 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 0/1 up/down: 0/-9) Total: -9 bytes Based on (incorrect) patch by Lubos Stanek (lubek) sent to the openwrt list: http://thread.gmane.org/gmane.comp.embedded.openwrt.devel/1464 Signed-off-by: Peter Korsgaard <[EMAIL PROTECTED]> --- networking/httpd.c | 28 +++++++++++++--------------- 1 files changed, 13 insertions(+), 15 deletions(-) diff --git a/networking/httpd.c b/networking/httpd.c index 352a97d..db04cde 100644 --- a/networking/httpd.c +++ b/networking/httpd.c @@ -1710,29 +1710,27 @@ static int checkPerm(const char *path, const char *request) if (strncmp(p0, path, l) == 0 && (l == 1 || path[l] == '/' || path[l] == '\0') ) { - char *u; /* path match found. Check request */ /* for check next /path:user:password */ prev = p0; - u = strchr(request, ':'); - if (u == NULL) { - /* bad request, ':' required */ - break; - } if (ENABLE_FEATURE_HTTPD_AUTH_MD5) { char *pp; - if (strncmp(p, request, u - request) != 0) { - /* user doesn't match */ - continue; - } pp = strchr(p, ':'); if (pp && pp[1] == '$' && pp[2] == '1' - && pp[3] == '$' && pp[4] - ) { - char *encrypted = pw_encrypt(u+1, ++pp, 1); - int r = strcmp(encrypted, pp); + && pp[3] == '$' && pp[4]) { + char *encrypted; + int r, len; + + len = 1 + pp - p; + if (strncmp(p, request, len) != 0) { + /* user doesn't match */ + continue; + } + + encrypted = pw_encrypt(request+len, p+len, 1); + r = strcmp(encrypted, p+len); free(encrypted); if (r == 0) goto set_remoteuser_var; /* Ok */ @@ -1743,7 +1741,7 @@ static int checkPerm(const char *path, const char *request) if (strcmp(p, request) == 0) { set_remoteuser_var: - remoteuser = xstrndup(request, u - request); + remoteuser = xstrndup(request, strchr(request, ':') - request); return 1; /* Ok */ } /* unauthorized */ -- 1.5.5.1 _______________________________________________ busybox mailing list [email protected] http://busybox.net/cgi-bin/mailman/listinfo/busybox
