Partial fix for issue#209: don't crash when some Authorization fields are missing.

d9c05f99 · Arnout Vandecappelle (Essensium/Mind) · aef344f0 · d9c05f99
Commit d9c05f99 authored Dec 02, 2010 by Arnout Vandecappelle (Essensium/Mind)
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

mongoose.c mongoose.c +8 -0

No files found.
--- a/mongoose.c
+++ b/mongoose.c
@@ -1983,6 +1983,12 @@ static int check_password(const char *method, const char *ha1, const char *uri,
                          const char *qop, const char *response) {
  char ha2[32 + 1], expected_response[32 + 1];

+  // Some of the parameters may be NULL
+  if (method == NULL || nonce == NULL || nc == NULL || cnonce == NULL || 
+      qop == NULL || response == NULL) {
+    return 0;
+  }
+
  // NOTE(lsm): due to a bug in MSIE, we do not compare the URI
  // TODO(lsm): check for authentication timeout
  if (// strcmp(dig->uri, c->ouri) != 0 ||
@@ -2095,6 +2101,8 @@ static int parse_auth_header(struct mg_connection *conn, char *buf,
  // CGI needs it as REMOTE_USER
  if (ah->user != NULL) {
    conn->request_info.remote_user = mg_strdup(ah->user);
+  } else {
+    return 0;
  }

  return 1;