[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-merchant] 02/02: fix Authorization header parsing
|
From: |
gnunet |
|
Subject: |
[taler-merchant] 02/02: fix Authorization header parsing |
|
Date: |
Tue, 02 Mar 2021 20:03:22 +0100 |
This is an automated email from the git hooks/post-receive script.
dold pushed a commit to branch master
in repository merchant.
commit 66f6cf25d499b97a5a8811ca34ab72f096dd31d4
Author: Florian Dold <florian@dold.me>
AuthorDate: Tue Mar 2 20:03:17 2021 +0100
fix Authorization header parsing
---
src/backend/taler-merchant-httpd.c | 53 ++++++++++++++++++++++++++------------
src/include/platform.h | 2 +-
2 files changed, 38 insertions(+), 17 deletions(-)
diff --git a/src/backend/taler-merchant-httpd.c
b/src/backend/taler-merchant-httpd.c
index 0690e621..77dedaae 100644
--- a/src/backend/taler-merchant-httpd.c
+++ b/src/backend/taler-merchant-httpd.c
@@ -960,6 +960,35 @@ TMH_add_instance (struct TMH_MerchantInstance *mi)
return ret;
}
+/**
+ * Extract the token from authorization header value @a auth.
+ *
+ * @param auth pointer to authorization header value,
+ * will be updated to point to the start of the token
+ * or set to NULL if header value is invalid
+ */
+static void
+extract_token (const char **auth)
+{
+ const char *bearer = "Bearer ";
+ const char *tok = *auth;
+ if (0 != strncmp (tok, bearer, strlen (bearer)))
+ {
+ *auth = NULL;
+ return;
+ }
+ tok = tok + strlen (bearer);
+ while (' ' == *tok)
+ tok++;
+ if (0 != strncasecmp (tok,
+ RFC_8959_PREFIX,
+ strlen (RFC_8959_PREFIX)))
+ {
+ *auth = NULL;
+ return;
+ }
+ *auth = tok;
+}
/**
* A client has requested the given url using the given method
@@ -1654,23 +1683,15 @@ url_handler (void *cls,
MHD_HTTP_HEADER_AUTHORIZATION);
if (NULL != auth)
{
- if (0 != strncasecmp (auth,
- RFC_8959_PREFIX,
- strlen (RFC_8959_PREFIX)))
- {
- /* We _only_ complain about malformed auth headers if
- authorization was truly required (#6737). This helps
- in case authorization was disabled in the backend
- because some reverse proxy is already doing it, and
- then that reverse proxy may forward malformed auth
- headers to the backend. */
+ /* We _only_ complain about malformed auth headers if
+ authorization was truly required (#6737). This helps
+ in case authorization was disabled in the backend
+ because some reverse proxy is already doing it, and
+ then that reverse proxy may forward malformed auth
+ headers to the backend. */
+ extract_token (&auth);
+ if (NULL == auth)
auth_malformed = true;
- auth = NULL;
- }
- else
- {
- auth += strlen (RFC_8959_PREFIX);
- }
}
/* Are the credentials provided OK for the default instance?
diff --git a/src/include/platform.h b/src/include/platform.h
index 70c296fd..ab260ebe 100644
--- a/src/include/platform.h
+++ b/src/include/platform.h
@@ -62,7 +62,7 @@
* Mark Nottingham thinks this should be fixed by revising HTTP
* spec (https://github.com/httpwg/http-core/issues/733))
*/
-#define RFC_8959_PREFIX "Bearer secret-token:"
+#define RFC_8959_PREFIX "secret-token:"
#endif /* PLATFORM_H_ */
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.