[vlc-devel] [PATCH] net/httpd: accept any user if none requested

Rémi Denis-Courmont remi at remlab.net
Sun Apr 27 15:43:24 CEST 2014 

Le samedi 26 avril 2014, 22:12:27 Vincent Bernat a écrit :
> When no user (resp. password) is required, accept any
> user (resp. password). The Lua web interface is not requiring a username
> and therefore, the authentication has to be done with an empty
> user. Many HTTP clients choke with this. For example, curl doesn't
> accept an empty username. This change allows the user to provide any
> username to authenticate as long as the password matches.
> ---
>  src/network/httpd.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/src/network/httpd.c b/src/network/httpd.c
> index 816d348a3328..3a81350d733a 100644
> --- a/src/network/httpd.c
> +++ b/src/network/httpd.c
> @@ -1109,8 +1109,8 @@ httpd_url_t *httpd_UrlNew(httpd_host_t *host, const
> char *psz_url,
> 
>      vlc_mutex_init(&url->lock);
>      url->psz_url = strdup(psz_url);
> -    url->psz_user = strdup(psz_user ? psz_user : "");
> -    url->psz_password = strdup(psz_password ? psz_password : "");
> +    url->psz_user = psz_user ? strdup(psz_user) : NULL;
> +    url->psz_password = psz_password ? strdup(psz_password) : NULL;

>      for (int i = 0; i < HTTPD_MSG_MAX; i++) {
>          url->catch[i].cb = NULL;
>          url->catch[i].p_sys = NULL;
> @@ -1713,7 +1713,7 @@ static void httpd_ClientTlsHandshake(httpd_client_t
> *cl)
> 
>  static bool httpdAuthOk(const char *user, const char *pass, const char
> *b64) {
> -    if (!*user && !*pass)
> +    if (!user && !pass)
>          return true;

I suspect this breaks some call sites that relied on "" implying no checks.

> 
>      if (!b64)
> @@ -1737,10 +1737,10 @@ static bool httpdAuthOk(const char *user, const char
> *pass, const char *b64)
> 
>      *given_pass++ = '\0';
> 
> -    if (strcmp (given_user, user))
> +    if (user && strcmp (given_user, user))
>          goto auth_failed;
> 
> -    if (strcmp (given_pass, pass))
> +    if (pass && strcmp (given_pass, pass))
>          goto auth_failed;
> 
>      free(given_user);

-- 
Rémi Denis-Courmont
http://www.remlab.net/

More information about the vlc-devel mailing list