Overview

File lighttpd-1.4.x_mod_auth_signedness_error.patch of Package lighttpd

commit 1adaac589ced706e1badd751f54390086b1d0767
Author: Marcus Rückert <mrueckert@suse.de>
Date:   Tue Dec 20 13:08:51 2011 +0100

    - merge 6c9dff7cda6593d9a566413347dd5adfe80c86a8
      [mod_auth] Fix signedness error in http_auth (fixes #2370,
      CVE-2011-4362)

diff --git a/src/http_auth.c b/src/http_auth.c
index 0c0c4a5..6609dc7 100644
--- a/src/http_auth.c
+++ b/src/http_auth.c
@@ -89,7 +89,7 @@ static unsigned char * base64_decode(buffer *out, const char *in) {
 	ch = in[0];
 	/* run through the whole string, converting as we go */
 	for (i = 0; i < in_len; i++) {
-		ch = in[i];
+		ch = (unsigned char) in[i];
 
 		if (ch == '\0') break;
 
diff --git a/tests/mod-auth.t b/tests/mod-auth.t
index 475a5f6..89ead9d 100755
--- a/tests/mod-auth.t
+++ b/tests/mod-auth.t
@@ -8,7 +8,7 @@ BEGIN {
 
 use strict;
 use IO::Socket;
-use Test::More tests => 14;
+use Test::More tests => 15;
 use LightyTest;
 
 my $tf = LightyTest->new();
@@ -25,6 +25,14 @@ ok($tf->handle_http($t) == 0, 'Missing Auth-token');
 
 $t->{REQUEST}  = ( <<EOF
 GET /server-status HTTP/1.0
+Authorization: Basic \x80mFuOmphb
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
+ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token');
+
+$t->{REQUEST}  = ( <<EOF
+GET /server-status HTTP/1.0
 Authorization: Basic amFuOmphb
 EOF
  );
openSUSE Build Service is sponsored by
Places