[libsoup] SoupAuthDomainDigest: Fix authentication with encoded uris

From: Claudio Saavedra <csaavedra src gnome org>
To: commits-list gnome org
Cc:
Subject: [libsoup] SoupAuthDomainDigest: Fix authentication with encoded uris
Date: Sat, 17 Mar 2018 08:36:40 +0000 (UTC)
commit fedaa0f770a664646a978c9c9258de1cec0c695e
Author: Claudio Saavedra <csaavedra igalia com>
Date:   Tue Mar 13 20:07:05 2018 +0200

    SoupAuthDomainDigest: Fix authentication with encoded uris
    
    When the client is using absolute paths for Digest authentication,
    we need to make sure that the digest URI is not encoded before
    comparing it to the request URI, as some clients might provide
    URIs encoded and SoupURI might already have decoded the request
    URI.
    
    Also modify server-auth-test.c to make this problem reproducible
    and add a couple of test cases to make sure we don't regress.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=794208

 libsoup/soup-auth-domain-digest.c |    9 +++++-
 tests/server-auth-test.c          |   49 ++++++++++++++++++++++++++++++++++--
 2 files changed, 53 insertions(+), 5 deletions(-)
---
diff --git a/libsoup/soup-auth-domain-digest.c b/libsoup/soup-auth-domain-digest.c
index 5cb4315..8bdb561 100644
--- a/libsoup/soup-auth-domain-digest.c
+++ b/libsoup/soup-auth-domain-digest.c
@@ -214,15 +214,20 @@ check_hex_urp (SoupAuthDomain *domain, SoupMessage *msg,
                        return FALSE;
                }
                soup_uri_free (dig_uri);
-       } else {        
+       } else {
                char *req_path;
+               char *dig_path;
 
                req_path = soup_uri_to_string (req_uri, TRUE);
-               if (strcmp (uri, req_path) != 0) {
+               dig_path = soup_uri_decode (uri);
+
+               if (strcmp (dig_path, req_path) != 0) {
                        g_free (req_path);
+                       g_free (dig_path);
                        return FALSE;
                }
                g_free (req_path);
+               g_free (dig_path);
        }
 
        /* Check qop; we only support "auth" for now */
diff --git a/tests/server-auth-test.c b/tests/server-auth-test.c
index ee3f57b..34c297b 100644
--- a/tests/server-auth-test.c
+++ b/tests/server-auth-test.c
@@ -36,7 +36,11 @@ do_test (SoupURI *base_uri, const char *path,
        GPid pid;
        gboolean done;
 
-       uri = soup_uri_new_with_base (base_uri, path);
+       /* We build the URI this way to avoid having soup_uri_new()
+          normalize the path, hence losing the encoded characters in
+          tests 4. and 5. below. */
+       uri = soup_uri_copy (base_uri);
+       soup_uri_set_path (uri, path);
        uri_str = soup_uri_to_string (uri, FALSE);
        soup_uri_free (uri);
 
@@ -156,7 +160,46 @@ do_server_auth_test (gconstpointer data)
                 /* success? */
                 TEST_USES_DIGEST (i) && TEST_GOOD_AUTH (i));
 
-       /* 4. Any auth required. */
+       /* 4. Digest auth with encoded URI. See #794208.
+        */
+       do_test (base_uri, "/Digest/A%20B",
+                TEST_GOOD_USER (i), TEST_GOOD_PASSWORD (i),
+                /* request */
+                TEST_USES_BASIC (i), TEST_USES_DIGEST (i),
+                /* expected from client */
+                TEST_PREEMPTIVE_BASIC (i), TEST_USES_DIGEST (i),
+                /* expected from server */
+                FALSE, TRUE,
+                /* success? */
+                TEST_USES_DIGEST (i) && TEST_GOOD_AUTH (i));
+
+       /* 5. Digest auth with a mixture of encoded and decoded chars in the URI. See #794208.
+        */
+       do_test (base_uri, "/Digest/A%20|%20B",
+                TEST_GOOD_USER (i), TEST_GOOD_PASSWORD (i),
+                /* request */
+                TEST_USES_BASIC (i), TEST_USES_DIGEST (i),
+                /* expected from client */
+                TEST_PREEMPTIVE_BASIC (i), TEST_USES_DIGEST (i),
+                /* expected from server */
+                FALSE, TRUE,
+                /* success? */
+                TEST_USES_DIGEST (i) && TEST_GOOD_AUTH (i));
+
+       /* 6. Digest auth with UTF-8 chars in the URI. See #794208.
+        */
+       do_test (base_uri, "/Digest/A௹B",
+                TEST_GOOD_USER (i), TEST_GOOD_PASSWORD (i),
+                /* request */
+                TEST_USES_BASIC (i), TEST_USES_DIGEST (i),
+                /* expected from client */
+                TEST_PREEMPTIVE_BASIC (i), TEST_USES_DIGEST (i),
+                /* expected from server */
+                FALSE, TRUE,
+                /* success? */
+                TEST_USES_DIGEST (i) && TEST_GOOD_AUTH (i));
+
+       /* 7. Any auth required. */
        do_test (base_uri, "/Any/foo",
                 TEST_GOOD_USER (i), TEST_GOOD_PASSWORD (i),
                 /* request */
@@ -168,7 +211,7 @@ do_server_auth_test (gconstpointer data)
                 /* success? */
                 (TEST_USES_BASIC (i) || TEST_USES_DIGEST (i)) && TEST_GOOD_AUTH (i));
 
-       /* 5. No auth required again. (Makes sure that
+       /* 8. No auth required again. (Makes sure that
         * SOUP_AUTH_DOMAIN_REMOVE_PATH works.)
         */
        do_test (base_uri, "/Any/Not/foo",
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]