#45568 [Opn->Csd]: [PATCH] ISAPI doesn't properly clear auth_digest in header

Wed, 30 Jul 2008 17:49:57 -0700 

 ID:               45568
 Updated by:       [EMAIL PROTECTED]
-Summary:          [PATCH] ISAPI doesn't property clear auth_digest in
                   header
 Reported By:      navara at emclient dot com
-Status:           Open
+Status:           Closed
 Bug Type:         Reproducible crash
 Operating System: Windows
 PHP Version:      5.2.6
 New Comment:

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Patch applied, thanks!


Previous Comments:
------------------------------------------------------------------------

[2008-07-19 23:31:45] navara at emclient dot com

Description:
------------
The crash happens when client sends HTTP_AUTHORIZATION header starting
with "Digest " once and then makes another request with no authorization
request specified. Underlying reason is that
SG(request_info).auth_digest is set on the first request and later freed
when the request is finished, but SG(request_info).auth_digest is never
cleared. Thus on next request SG(request_info).auth_digest still
contains the old pointer and once the request shutdown is performed the
already freed pointer is accessed.

Patch below fixes it, though using sapi_initialize_empty_request on
appropriate place might be a better fix.

--- sapi\isapi\php5isapi.c
+++ sapi\isapi\php5isapi.c
@@ -711,6 +711,7 @@
                case SF_NOTIFY_PREPROC_HEADERS:
                        SG(request_info).auth_user = NULL;
                        SG(request_info).auth_password = NULL;
+                       SG(request_info).auth_digest = NULL;
                        break;
                case SF_NOTIFY_AUTHENTICATION: {
                                char *auth_user = ((HTTP_FILTER_AUTHENT *)
pvNotification)->pszUser;
@@ -745,7 +746,7 @@
        SG(request_info).content_length = lpECB->cbTotalBytes;
        SG(sapi_headers).http_response_code = 200;  /* I think
dwHttpStatusCode is invalid at this stage -RL */
        if (!bFilterLoaded) { /* we don't have valid ISAPI Filter information
*/
-               SG(request_info).auth_user = SG(request_info).auth_password = 
NULL;
+               SG(request_info).auth_user = SG(request_info).auth_password =
SG(request_info).auth_digest = NULL;
        }
 
 #ifdef WITH_ZEUS




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=45568&edit=1

Reply via email to