Right now we do not verify the nonce using in digest. This means that
an attacker can replay the response from another site or section
on the web site if
- the users username+password is the same across the site.
- the realm name is the same
Unfortunately that is often the case (and for the real, there
is a lot of DAV and webdav out there).
Below somewhat addresses that by veryfing that the nonce
is actually our own.
Dw
Index: include/http_core.h
===
RCS file: /home/cvs/apache-1.3/src/include/http_core.h,v
retrieving revision 1.71
diff -u -r1.71 http_core.h
--- include/http_core.h 7 Jul 2003 00:34:09 - 1.71
+++ include/http_core.h 18 Dec 2003 17:30:29 -
@@ -162,6 +162,7 @@
API_EXPORT(const char *) ap_auth_type (request_rec *);
API_EXPORT(const char *) ap_auth_name (request_rec *);
+API_EXPORT(const char *) ap_auth_nonce (request_rec *);
API_EXPORT(int) ap_satisfies (request_rec *r);
API_EXPORT(const array_header *) ap_requires (request_rec *);
@@ -244,6 +245,7 @@
int satisfy;
char *ap_auth_type;
char *ap_auth_name;
+char *ap_auth_nonce; /* digest auth */
array_header *ap_requires;
/* Custom response config. These can contain text or a URL to redirect to.
Index: main/http_core.c
===
RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
retrieving revision 1.327
diff -u -r1.327 http_core.c
--- main/http_core.c17 Nov 2003 17:14:53 - 1.327
+++ main/http_core.c18 Dec 2003 17:30:30 -
@@ -236,6 +236,9 @@
if (new-ap_auth_name) {
conf-ap_auth_name = new-ap_auth_name;
}
+if (new-ap_auth_nonce) {
+conf-ap_auth_nonce= new-ap_auth_nonce;
+}
if (new-ap_requires) {
conf-ap_requires = new-ap_requires;
}
@@ -577,6 +580,29 @@
return conf-ap_auth_name;
}
+API_EXPORT(const char *) ap_auth_nonce(request_rec *r)
+{
+core_dir_config *conf;
+conf = (core_dir_config *)ap_get_module_config(r-per_dir_config,
+ core_module);
+if (conf-ap_auth_nonce)
+ return conf-ap_auth_nonce;
+
+/* Ideally we'd want to mix in some per-directory style
+ * information; as we are likely to want to detect replay
+ * across those boundaries and some randomness. But that
+ * is harder due to the adhoc nature of .htaccess memory
+ * structures, restarts and forks.
+ *
+ * But then again - you should use AuthNonce in your config
+ * file if you care. So the adhoc value should do.
+ */
+return ap_psprintf(r-pool,%lu%lu%lu%lu%lu%s,
+ *(unsigned long *)((r-connection-local_addr).sin_addr ),
+ ap_user_name, ap_listeners, ap_server_argv0, ap_pid_fname
+);
+}
+
API_EXPORT(const char *) ap_default_type(request_rec *r)
{
core_dir_config *conf;
@@ -2797,6 +2823,28 @@
return NULL;
}
+/*
+ * Load an authorisation nonce into our location configuration, and
+ * force it to be in the 0-9/A-Z realm.
+ */
+static const char *set_authnonce (cmd_parms *cmd, void *mconfig, char *word1)
+{
+core_dir_config *aconfig = (core_dir_config *)mconfig;
+int i;
+
+aconfig-ap_auth_nonce = ap_escape_quotes(cmd-pool, word1);
+
+if (strlen(aconfig-ap_auth_nonce) 510)
+ return AuthNonce lenght limited to 510 chars for browser
compatibility;
+
+for(i=0;istrlen(aconfig-ap_auth_nonce );i++)
+ if (!ap_isalnum(aconfig-ap_auth_nonce [i]))
+ return AuthNonce limited to 0-9 and A-Z range for browser
compatibilty;
+
+return NULL;
+}
+
+
#ifdef _OSD_POSIX /* BS2000 Logon Passwd file */
static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char *name)
{
@@ -3411,6 +3459,9 @@
An HTTP authorization type (e.g., \Basic\) },
{ AuthName, set_authname, NULL, OR_AUTHCFG, TAKE1,
The authentication realm (e.g. \Members Only\) },
+{ AuthNonce, set_authnonce, NULL, OR_AUTHCFG, TAKE1,
+ An authentication token which should be different for each logical realm. \
+ A random value or the servers IP may be a good choise.\n },
{ Require, require, NULL, OR_AUTHCFG, RAW_ARGS,
Selects which authenticated users or groups may access a protected space },
{ Satisfy, satisfy, NULL, OR_AUTHCFG, TAKE1,
Index: main/http_protocol.c
===
RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.330
diff -u -r1.330 http_protocol.c
--- main/http_protocol.c3 Feb 2003 17:13:22 - 1.330
+++ main/http_protocol.c18 Dec 2003 17:30:32 -
@@ -76,6 +76,7 @@
#include util_date.h /* For parseHTTPdate and BAD_DATE */
#include stdarg.h
#include http_conf_globals.h
+#include util_md5.h /* For digestAuth */
#define SET_BYTES_SENT(r) \
do { if (r-sent_bodyct) \
@@ -1391,11 +1392,24 @@
API_EXPORT(void)