Mercurial > hg > nginx
comparison src/http/modules/ngx_http_auth_basic_module.c @ 7637:0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Fri, 13 Mar 2020 02:12:10 +0300 |
| parents | e48ac0136ee3 |
| children | bdd4d89370a7 |
comparison
equal
deleted
inserted
replaced
| 7636:2a9aeb3426c3 | 7637:0cb942c1c1aa |
|---|---|
| 23 static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r); | 23 static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r); |
| 24 static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, | 24 static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, |
| 25 ngx_str_t *passwd, ngx_str_t *realm); | 25 ngx_str_t *passwd, ngx_str_t *realm); |
| 26 static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r, | 26 static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r, |
| 27 ngx_str_t *realm); | 27 ngx_str_t *realm); |
| 28 static void ngx_http_auth_basic_close(ngx_file_t *file); | |
| 29 static void *ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf); | 28 static void *ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf); |
| 30 static char *ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, | 29 static char *ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, |
| 31 void *parent, void *child); | 30 void *parent, void *child); |
| 32 static ngx_int_t ngx_http_auth_basic_init(ngx_conf_t *cf); | 31 static ngx_int_t ngx_http_auth_basic_init(ngx_conf_t *cf); |
| 33 static char *ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, | 32 static char *ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, |
| 175 | 174 |
| 176 n = ngx_read_file(&file, buf + left, NGX_HTTP_AUTH_BUF_SIZE - left, | 175 n = ngx_read_file(&file, buf + left, NGX_HTTP_AUTH_BUF_SIZE - left, |
| 177 offset); | 176 offset); |
| 178 | 177 |
| 179 if (n == NGX_ERROR) { | 178 if (n == NGX_ERROR) { |
| 180 ngx_http_auth_basic_close(&file); | 179 rc = NGX_HTTP_INTERNAL_SERVER_ERROR; |
| 181 return NGX_HTTP_INTERNAL_SERVER_ERROR; | 180 goto cleanup; |
| 182 } | 181 } |
| 183 | 182 |
| 184 if (n == 0) { | 183 if (n == 0) { |
| 185 break; | 184 break; |
| 186 } | 185 } |
| 217 | 216 |
| 218 case sw_passwd: | 217 case sw_passwd: |
| 219 if (buf[i] == LF || buf[i] == CR || buf[i] == ':') { | 218 if (buf[i] == LF || buf[i] == CR || buf[i] == ':') { |
| 220 buf[i] = '\0'; | 219 buf[i] = '\0'; |
| 221 | 220 |
| 222 ngx_http_auth_basic_close(&file); | |
| 223 | |
| 224 pwd.len = i - passwd; | 221 pwd.len = i - passwd; |
| 225 pwd.data = &buf[passwd]; | 222 pwd.data = &buf[passwd]; |
| 226 | 223 |
| 227 return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); | 224 rc = ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); |
| 225 goto cleanup; | |
| 228 } | 226 } |
| 229 | 227 |
| 230 break; | 228 break; |
| 231 | 229 |
| 232 case sw_skip: | 230 case sw_skip: |
| 249 } | 247 } |
| 250 | 248 |
| 251 offset += n; | 249 offset += n; |
| 252 } | 250 } |
| 253 | 251 |
| 254 ngx_http_auth_basic_close(&file); | |
| 255 | |
| 256 if (state == sw_passwd) { | 252 if (state == sw_passwd) { |
| 257 pwd.len = i - passwd; | 253 pwd.len = i - passwd; |
| 258 pwd.data = ngx_pnalloc(r->pool, pwd.len + 1); | 254 pwd.data = ngx_pnalloc(r->pool, pwd.len + 1); |
| 259 if (pwd.data == NULL) { | 255 if (pwd.data == NULL) { |
| 260 return NGX_HTTP_INTERNAL_SERVER_ERROR; | 256 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
| 261 } | 257 } |
| 262 | 258 |
| 263 ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1); | 259 ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1); |
| 264 | 260 |
| 265 return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); | 261 rc = ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); |
| 262 goto cleanup; | |
| 266 } | 263 } |
| 267 | 264 |
| 268 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | 265 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
| 269 "user \"%V\" was not found in \"%s\"", | 266 "user \"%V\" was not found in \"%s\"", |
| 270 &r->headers_in.user, user_file.data); | 267 &r->headers_in.user, user_file.data); |
| 271 | 268 |
| 272 return ngx_http_auth_basic_set_realm(r, &realm); | 269 rc = ngx_http_auth_basic_set_realm(r, &realm); |
| 270 | |
| 271 cleanup: | |
| 272 | |
| 273 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { | |
| 274 ngx_log_error(NGX_LOG_ALERT, r->connection->log, ngx_errno, | |
| 275 ngx_close_file_n " \"%s\" failed", user_file.data); | |
| 276 } | |
| 277 | |
| 278 ngx_explicit_memzero(buf, NGX_HTTP_AUTH_BUF_SIZE); | |
| 279 | |
| 280 return rc; | |
| 273 } | 281 } |
| 274 | 282 |
| 275 | 283 |
| 276 static ngx_int_t | 284 static ngx_int_t |
| 277 ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, ngx_str_t *passwd, | 285 ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, ngx_str_t *passwd, |
| 336 r->headers_out.www_authenticate->value.len = len; | 344 r->headers_out.www_authenticate->value.len = len; |
| 337 | 345 |
| 338 return NGX_HTTP_UNAUTHORIZED; | 346 return NGX_HTTP_UNAUTHORIZED; |
| 339 } | 347 } |
| 340 | 348 |
| 341 static void | |
| 342 ngx_http_auth_basic_close(ngx_file_t *file) | |
| 343 { | |
| 344 if (ngx_close_file(file->fd) == NGX_FILE_ERROR) { | |
| 345 ngx_log_error(NGX_LOG_ALERT, file->log, ngx_errno, | |
| 346 ngx_close_file_n " \"%s\" failed", file->name.data); | |
| 347 } | |
| 348 } | |
| 349 | |
| 350 | 349 |
| 351 static void * | 350 static void * |
| 352 ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) | 351 ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) |
| 353 { | 352 { |
| 354 ngx_http_auth_basic_loc_conf_t *conf; | 353 ngx_http_auth_basic_loc_conf_t *conf; |