diff options
| author | dartraiden <wowemuh@gmail.com> | 2022-07-02 23:09:35 +0300 |
|---|---|---|
| committer | dartraiden <wowemuh@gmail.com> | 2022-07-02 23:09:35 +0300 |
| commit | 5882ac58f5d5cbcfa9f9d4015285d4f5d2b7c755 (patch) | |
| tree | ab1c3cd0b9893ecfef62702fbb9811f610b8b224 /libs/libcurl/src/vauth/digest.c | |
| parent | 59efa751fe2e8189c625b67d9c98b7155e59022e (diff) | |
libcurl: update to 7.84.0
Diffstat (limited to 'libs/libcurl/src/vauth/digest.c')
| -rw-r--r-- | libs/libcurl/src/vauth/digest.c | 112 |
1 files changed, 74 insertions, 38 deletions
diff --git a/libs/libcurl/src/vauth/digest.c b/libs/libcurl/src/vauth/digest.c index d4616095da..355cd74a6e 100644 --- a/libs/libcurl/src/vauth/digest.c +++ b/libs/libcurl/src/vauth/digest.c @@ -18,6 +18,8 @@ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY * KIND, either express or implied. * + * SPDX-License-Identifier: curl + * * RFC2831 DIGEST-MD5 authentication * RFC7616 DIGEST-SHA256, DIGEST-SHA512-256 authentication * @@ -79,44 +81,50 @@ bool Curl_auth_digest_get_pair(const char *str, char *value, char *content, } for(c = DIGEST_MAX_CONTENT_LENGTH - 1; *str && c--; str++) { - switch(*str) { - case '\\': - if(!escape) { - /* possibly the start of an escaped quote */ - escape = TRUE; - *content++ = '\\'; /* Even though this is an escape character, we still - store it as-is in the target buffer */ - continue; - } - break; - - case ',': - if(!starts_with_quote) { - /* This signals the end of the content if we didn't get a starting - quote and then we do "sloppy" parsing */ - c = 0; /* the end */ - continue; - } - break; - - case '\r': - case '\n': - /* end of string */ - c = 0; - continue; + if(!escape) { + switch(*str) { + case '\\': + if(starts_with_quote) { + /* the start of an escaped quote */ + escape = TRUE; + continue; + } + break; + + case ',': + if(!starts_with_quote) { + /* This signals the end of the content if we didn't get a starting + quote and then we do "sloppy" parsing */ + c = 0; /* the end */ + continue; + } + break; - case '\"': - if(!escape && starts_with_quote) { + case '\r': + case '\n': /* end of string */ + if(starts_with_quote) + return FALSE; /* No closing quote */ c = 0; continue; + + case '\"': + if(starts_with_quote) { + /* end of string */ + c = 0; + continue; + } + else + return FALSE; + break; } - break; } escape = FALSE; *content++ = *str; } + if(escape) + return FALSE; /* No character after backslash */ *content = 0; *endptr = str; @@ -664,6 +672,8 @@ static CURLcode auth_create_digest_http_message( char *cnonce = NULL; size_t cnonce_sz = 0; char *userp_quoted; + char *realm_quoted; + char *nonce_quoted; char *response = NULL; char *hashthis = NULL; char *tmp = NULL; @@ -687,7 +697,7 @@ static CURLcode auth_create_digest_http_message( } if(digest->userhash) { - hashthis = aprintf("%s:%s", userp, digest->realm); + hashthis = aprintf("%s:%s", userp, digest->realm ? digest->realm : ""); if(!hashthis) return CURLE_OUT_OF_MEMORY; @@ -707,7 +717,8 @@ static CURLcode auth_create_digest_http_message( unq(nonce-value) ":" unq(cnonce-value) */ - hashthis = aprintf("%s:%s:%s", userp, digest->realm, passwdp); + hashthis = aprintf("%s:%s:%s", userp, digest->realm ? digest->realm : "", + passwdp); if(!hashthis) return CURLE_OUT_OF_MEMORY; @@ -786,16 +797,33 @@ static CURLcode auth_create_digest_http_message( nonce="1053604145", uri="/64", response="c55f7f30d83d774a3d2dcacf725abaca" Digest parameters are all quoted strings. Username which is provided by - the user will need double quotes and backslashes within it escaped. For - the other fields, this shouldn't be an issue. realm, nonce, and opaque - are copied as is from the server, escapes and all. cnonce is generated - with web-safe characters. uri is already percent encoded. nc is 8 hex + the user will need double quotes and backslashes within it escaped. + realm, nonce, and opaque will need backslashes as well as they were + de-escaped when copied from request header. cnonce is generated with + web-safe characters. uri is already percent encoded. nc is 8 hex characters. algorithm and qop with standard values only contain web-safe characters. */ userp_quoted = auth_digest_string_quoted(digest->userhash ? userh : userp); if(!userp_quoted) return CURLE_OUT_OF_MEMORY; + if(digest->realm) + realm_quoted = auth_digest_string_quoted(digest->realm); + else { + realm_quoted = malloc(1); + if(realm_quoted) + realm_quoted[0] = 0; + } + if(!realm_quoted) { + free(userp_quoted); + return CURLE_OUT_OF_MEMORY; + } + nonce_quoted = auth_digest_string_quoted(digest->nonce); + if(!nonce_quoted) { + free(realm_quoted); + free(userp_quoted); + return CURLE_OUT_OF_MEMORY; + } if(digest->qop) { response = aprintf("username=\"%s\", " @@ -807,8 +835,8 @@ static CURLcode auth_create_digest_http_message( "qop=%s, " "response=\"%s\"", userp_quoted, - digest->realm, - digest->nonce, + realm_quoted, + nonce_quoted, uripath, digest->cnonce, digest->nc, @@ -827,18 +855,26 @@ static CURLcode auth_create_digest_http_message( "uri=\"%s\", " "response=\"%s\"", userp_quoted, - digest->realm, - digest->nonce, + realm_quoted, + nonce_quoted, uripath, request_digest); } + free(nonce_quoted); + free(realm_quoted); free(userp_quoted); if(!response) return CURLE_OUT_OF_MEMORY; /* Add the optional fields */ if(digest->opaque) { + char *opaque_quoted; /* Append the opaque */ + opaque_quoted = auth_digest_string_quoted(digest->opaque); + if(!opaque_quoted) { + free(response); + return CURLE_OUT_OF_MEMORY; + } tmp = aprintf("%s, opaque=\"%s\"", response, digest->opaque); free(response); if(!tmp) |