Blame SOURCES/httpd-2.4.37-CVE-2020-35452.patch
|
 |
96af6c |
diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
|
|
|
96af6c |
index b760941..0825b1b 100644
|
|
|
96af6c |
--- a/modules/aaa/mod_auth_digest.c
|
|
|
96af6c |
+++ b/modules/aaa/mod_auth_digest.c
|
|
|
96af6c |
@@ -1422,9 +1422,14 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
|
|
|
96af6c |
time_rec nonce_time;
|
|
|
96af6c |
char tmp, hash[NONCE_HASH_LEN+1];
|
|
|
96af6c |
|
|
|
96af6c |
- if (strlen(resp->nonce) != NONCE_LEN) {
|
|
|
96af6c |
+ /* Since the time part of the nonce is a base64 encoding of an
|
|
|
96af6c |
+ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
|
|
|
96af6c |
+ */
|
|
|
96af6c |
+ if (strlen(resp->nonce) != NONCE_LEN
|
|
|
96af6c |
+ || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
|
|
|
96af6c |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
|
|
|
96af6c |
- "invalid nonce %s received - length is not %d",
|
|
|
96af6c |
+ "invalid nonce '%s' received - length is not %d "
|
|
|
96af6c |
+ "or time encoding is incorrect",
|
|
|
96af6c |
resp->nonce, NONCE_LEN);
|
|
|
96af6c |
note_digest_auth_failure(r, conf, resp, 1);
|
|
|
96af6c |
return HTTP_UNAUTHORIZED;
|