From 74521cca4019f149e6a7258e3b65f49dab746f78 Mon Sep 17 00:00:00 2001
From: Peter Korsgaard <jacmet@sunsite.dk>
Date: Thu, 12 Jun 2008 20:53:04 +0200
Subject: [PATCH] httpd: fix username verification with md5 auth

checkPerm only verified as many characters of the username as provided
by the client, so E.G. an empty username would always match.

Cleanup and save a few bytes while we are at it:

function                                             old     new   delta
checkPerm                                            359     350      -9
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 0/1 up/down: 0/-9)               Total: -9 bytes

Based on (incorrect) patch by Lubos Stanek (lubek) sent to the openwrt list:
http://thread.gmane.org/gmane.comp.embedded.openwrt.devel/1464

Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
---
 networking/httpd.c |   28 +++++++++++++---------------
 1 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/networking/httpd.c b/networking/httpd.c
index 352a97d..db04cde 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -1710,29 +1710,27 @@ static int checkPerm(const char *path, const char *request)
 		if (strncmp(p0, path, l) == 0
 		 && (l == 1 || path[l] == '/' || path[l] == '\0')
 		) {
-			char *u;
 			/* path match found.  Check request */
 			/* for check next /path:user:password */
 			prev = p0;
-			u = strchr(request, ':');
-			if (u == NULL) {
-				/* bad request, ':' required */
-				break;
-			}
 
 			if (ENABLE_FEATURE_HTTPD_AUTH_MD5) {
 				char *pp;
 
-				if (strncmp(p, request, u - request) != 0) {
-					/* user doesn't match */
-					continue;
-				}
 				pp = strchr(p, ':');
 				if (pp && pp[1] == '$' && pp[2] == '1'
-				 && pp[3] == '$' && pp[4]
-				) {
-					char *encrypted = pw_encrypt(u+1, ++pp, 1);
-					int r = strcmp(encrypted, pp);
+				 && pp[3] == '$' && pp[4]) {
+					char *encrypted;
+					int r, len;
+
+					len = 1 + pp - p;
+					if (strncmp(p, request, len) != 0) {
+						/* user doesn't match */
+						continue;
+					}
+
+					encrypted = pw_encrypt(request+len, p+len, 1);
+					r = strcmp(encrypted, p+len);
 					free(encrypted);
 					if (r == 0)
 						goto set_remoteuser_var;   /* Ok */
@@ -1743,7 +1741,7 @@ static int checkPerm(const char *path, const char *request)
 
 			if (strcmp(p, request) == 0) {
  set_remoteuser_var:
-				remoteuser = xstrndup(request, u - request);
+				remoteuser = xstrndup(request, strchr(request, ':') - request);
 				return 1;   /* Ok */
 			}
 			/* unauthorized */
-- 
1.5.5.1