Mercurial > hg > nginx
comparison src/http/modules/ngx_http_auth_basic_module.c @ 7637:0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Fri, 13 Mar 2020 02:12:10 +0300 |
parents | e48ac0136ee3 |
children | bdd4d89370a7 |
comparison
equal
deleted
inserted
replaced
7636:2a9aeb3426c3 | 7637:0cb942c1c1aa |
---|---|
23 static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r); | 23 static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r); |
24 static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, | 24 static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, |
25 ngx_str_t *passwd, ngx_str_t *realm); | 25 ngx_str_t *passwd, ngx_str_t *realm); |
26 static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r, | 26 static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r, |
27 ngx_str_t *realm); | 27 ngx_str_t *realm); |
28 static void ngx_http_auth_basic_close(ngx_file_t *file); | |
29 static void *ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf); | 28 static void *ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf); |
30 static char *ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, | 29 static char *ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, |
31 void *parent, void *child); | 30 void *parent, void *child); |
32 static ngx_int_t ngx_http_auth_basic_init(ngx_conf_t *cf); | 31 static ngx_int_t ngx_http_auth_basic_init(ngx_conf_t *cf); |
33 static char *ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, | 32 static char *ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, |
175 | 174 |
176 n = ngx_read_file(&file, buf + left, NGX_HTTP_AUTH_BUF_SIZE - left, | 175 n = ngx_read_file(&file, buf + left, NGX_HTTP_AUTH_BUF_SIZE - left, |
177 offset); | 176 offset); |
178 | 177 |
179 if (n == NGX_ERROR) { | 178 if (n == NGX_ERROR) { |
180 ngx_http_auth_basic_close(&file); | 179 rc = NGX_HTTP_INTERNAL_SERVER_ERROR; |
181 return NGX_HTTP_INTERNAL_SERVER_ERROR; | 180 goto cleanup; |
182 } | 181 } |
183 | 182 |
184 if (n == 0) { | 183 if (n == 0) { |
185 break; | 184 break; |
186 } | 185 } |
217 | 216 |
218 case sw_passwd: | 217 case sw_passwd: |
219 if (buf[i] == LF || buf[i] == CR || buf[i] == ':') { | 218 if (buf[i] == LF || buf[i] == CR || buf[i] == ':') { |
220 buf[i] = '\0'; | 219 buf[i] = '\0'; |
221 | 220 |
222 ngx_http_auth_basic_close(&file); | |
223 | |
224 pwd.len = i - passwd; | 221 pwd.len = i - passwd; |
225 pwd.data = &buf[passwd]; | 222 pwd.data = &buf[passwd]; |
226 | 223 |
227 return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); | 224 rc = ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); |
225 goto cleanup; | |
228 } | 226 } |
229 | 227 |
230 break; | 228 break; |
231 | 229 |
232 case sw_skip: | 230 case sw_skip: |
249 } | 247 } |
250 | 248 |
251 offset += n; | 249 offset += n; |
252 } | 250 } |
253 | 251 |
254 ngx_http_auth_basic_close(&file); | |
255 | |
256 if (state == sw_passwd) { | 252 if (state == sw_passwd) { |
257 pwd.len = i - passwd; | 253 pwd.len = i - passwd; |
258 pwd.data = ngx_pnalloc(r->pool, pwd.len + 1); | 254 pwd.data = ngx_pnalloc(r->pool, pwd.len + 1); |
259 if (pwd.data == NULL) { | 255 if (pwd.data == NULL) { |
260 return NGX_HTTP_INTERNAL_SERVER_ERROR; | 256 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
261 } | 257 } |
262 | 258 |
263 ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1); | 259 ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1); |
264 | 260 |
265 return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); | 261 rc = ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); |
262 goto cleanup; | |
266 } | 263 } |
267 | 264 |
268 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | 265 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
269 "user \"%V\" was not found in \"%s\"", | 266 "user \"%V\" was not found in \"%s\"", |
270 &r->headers_in.user, user_file.data); | 267 &r->headers_in.user, user_file.data); |
271 | 268 |
272 return ngx_http_auth_basic_set_realm(r, &realm); | 269 rc = ngx_http_auth_basic_set_realm(r, &realm); |
270 | |
271 cleanup: | |
272 | |
273 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { | |
274 ngx_log_error(NGX_LOG_ALERT, r->connection->log, ngx_errno, | |
275 ngx_close_file_n " \"%s\" failed", user_file.data); | |
276 } | |
277 | |
278 ngx_explicit_memzero(buf, NGX_HTTP_AUTH_BUF_SIZE); | |
279 | |
280 return rc; | |
273 } | 281 } |
274 | 282 |
275 | 283 |
276 static ngx_int_t | 284 static ngx_int_t |
277 ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, ngx_str_t *passwd, | 285 ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, ngx_str_t *passwd, |
336 r->headers_out.www_authenticate->value.len = len; | 344 r->headers_out.www_authenticate->value.len = len; |
337 | 345 |
338 return NGX_HTTP_UNAUTHORIZED; | 346 return NGX_HTTP_UNAUTHORIZED; |
339 } | 347 } |
340 | 348 |
341 static void | |
342 ngx_http_auth_basic_close(ngx_file_t *file) | |
343 { | |
344 if (ngx_close_file(file->fd) == NGX_FILE_ERROR) { | |
345 ngx_log_error(NGX_LOG_ALERT, file->log, ngx_errno, | |
346 ngx_close_file_n " \"%s\" failed", file->name.data); | |
347 } | |
348 } | |
349 | |
350 | 349 |
351 static void * | 350 static void * |
352 ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) | 351 ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) |
353 { | 352 { |
354 ngx_http_auth_basic_loc_conf_t *conf; | 353 ngx_http_auth_basic_loc_conf_t *conf; |