Skip to content

Commit

Permalink
Fix validation of Digest auth header parameters (#1906)
Browse files Browse the repository at this point in the history
Insufficient validation of Digest authentication parameters resulted in
a DigestCalcHA1() call that dereferenced a nil pointer.

This bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/ where it was filed as
"strlen(NULL) Crash Using Digest Authentication".
  • Loading branch information
kinkie committed Oct 9, 2024
1 parent b4addc2 commit 1615a7f
Showing 1 changed file with 13 additions and 7 deletions.
20 changes: 13 additions & 7 deletions src/auth/digest/Config.cc
Original file line number Diff line number Diff line change
Expand Up @@ -966,13 +966,19 @@ Auth::Digest::Config::decode(char const *proxy_auth, const HttpRequest *request,
return rv;
}
} else {
/* cnonce and nc both require qop */
if (digest_request->cnonce || digest_request->nc[0] != '\0') {
debugs(29, 2, "missing qop!");
rv = authDigestLogUsername(username, digest_request, aRequestRealm);
safe_free(username);
return rv;
}
/* RFC7616 section 3.3, qop:
* "MUST be used by all implementations"
*
* RFC7616 section 3.4, qop:
* "value MUST be one of the alternatives the server
* indicated it supports in the WWW-Authenticate header field"
*
* Squid sends qop=auth, reject buggy or outdated clients.
*/
debugs(29, 2, "missing qop!");
rv = authDigestLogUsername(username, digest_request, aRequestRealm);
safe_free(username);
return rv;
}

/** below nonce state dependent **/
Expand Down

0 comments on commit 1615a7f

Please sign in to comment.