Skip to content
Draft
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions src/adaptation/icap/ModXact.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1399,12 +1399,20 @@ void Adaptation::Icap::ModXact::makeRequestHeaders(MemBuf &buf)
String vh=virgin.header->header.getById(Http::HdrType::PROXY_AUTHORIZATION);
buf.appendf("Proxy-Authorization: " SQUIDSTRINGPH "\r\n", SQUIDSTRINGPRINT(vh));
} else if (request->extacl_user.size() > 0 && request->extacl_passwd.size() > 0) {
const auto userLen = request->extacl_user.size();
const auto passwdLen = request->extacl_passwd.size();
// +1 for the ':' separator between user and passwd
const auto plainLen = userLen + 1 + passwdLen;
if (plainLen > MAX_LOGIN_SZ)
throw TexcHere("extacl credentials too long for Proxy-Authorization");
Comment thread
rousskov marked this conversation as resolved.
Outdated
// plainLen <= MAX_LOGIN_SZ, so base64_encode_len(plainLen) fits
// within the base64_encode_len(MAX_LOGIN_SZ) stack buffer.
Comment thread
rousskov marked this conversation as resolved.
Outdated
char base64buf[base64_encode_len(MAX_LOGIN_SZ)];
Comment thread
kinkie marked this conversation as resolved.
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
char base64buf[base64_encode_len(MAX_LOGIN_SZ)];
size_t resultLen = base64_encode_update(&ctx, base64buf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
auto resultLen = base64_encode_update(&ctx, base64buf, userLen, reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
resultLen += base64_encode_update(&ctx, base64buf+resultLen, 1, reinterpret_cast<const uint8_t*>(":"));
resultLen += base64_encode_update(&ctx, base64buf+resultLen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
resultLen += base64_encode_update(&ctx, base64buf+resultLen, passwdLen, reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
resultLen += base64_encode_final(&ctx, base64buf+resultLen);
buf.appendf("Proxy-Authorization: Basic %.*s\r\n", (int)resultLen, base64buf);
Comment thread
kinkie marked this conversation as resolved.
}
Expand Down
22 changes: 17 additions & 5 deletions src/http.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1850,8 +1850,12 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
username = request->auth_user_request->username();
#endif

blen = base64_encode_update(&ctx, loginbuf, strlen(username), reinterpret_cast<const uint8_t*>(username));
blen += base64_encode_update(&ctx, loginbuf+blen, strlen(request->peer_login +1), reinterpret_cast<const uint8_t*>(request->peer_login +1));
const auto usernameLen = strlen(username);
const auto suffixLen = strlen(request->peer_login + 1);
if (usernameLen + suffixLen > MAX_LOGIN_SZ)
throw TexcHere("peer login credentials too long");
blen = base64_encode_update(&ctx, loginbuf, usernameLen, reinterpret_cast<const uint8_t*>(username));
blen += base64_encode_update(&ctx, loginbuf+blen, suffixLen, reinterpret_cast<const uint8_t*>(request->peer_login +1));
blen += base64_encode_final(&ctx, loginbuf+blen);
httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
return;
Expand All @@ -1862,9 +1866,14 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
(strcmp(request->peer_login, "PASS") == 0 ||
strcmp(request->peer_login, "PROXYPASS") == 0)) {

blen = base64_encode_update(&ctx, loginbuf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
const auto userLen = request->extacl_user.size();
const auto passwdLen = request->extacl_passwd.size();
// +1 for the ':' separator between user and passwd
if (userLen + 1 + passwdLen > MAX_LOGIN_SZ)
throw TexcHere("extacl credentials too long for peer login");
blen = base64_encode_update(&ctx, loginbuf, userLen, reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
blen += base64_encode_update(&ctx, loginbuf+blen, 1, reinterpret_cast<const uint8_t*>(":"));
blen += base64_encode_update(&ctx, loginbuf+blen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
blen += base64_encode_update(&ctx, loginbuf+blen, passwdLen, reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
blen += base64_encode_final(&ctx, loginbuf+blen);
httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
return;
Expand Down Expand Up @@ -1894,7 +1903,10 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
}
#endif /* HAVE_KRB5 && HAVE_GSSAPI */

blen = base64_encode_update(&ctx, loginbuf, strlen(request->peer_login), reinterpret_cast<const uint8_t*>(request->peer_login));
const auto loginLen = strlen(request->peer_login);
if (loginLen > MAX_LOGIN_SZ)
throw TexcHere("peer_login too long");
blen = base64_encode_update(&ctx, loginbuf, loginLen, reinterpret_cast<const uint8_t*>(request->peer_login));
blen += base64_encode_final(&ctx, loginbuf+blen);
httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
Comment thread
kinkie marked this conversation as resolved.
return;
Expand Down
Loading