diff options
| author | Xavier Del Campo Romero <xavi92@disroot.org> | 2025-10-02 11:32:02 +0200 |
|---|---|---|
| committer | Xavier Del Campo Romero <xavi92@disroot.org> | 2025-10-02 11:32:02 +0200 |
| commit | 4dcd4d47cc717b37844dbe7f01485f9a0662a964 (patch) | |
| tree | 14d29627ce3a6ba70a67cd2b5dd2bebe9341e5aa | |
| parent | eeca79b7678176a6f8915da29d35f685f365e6da (diff) | |
auth.c: Fix missing username check
So far, auth_login was looking for a key that matched the expected HMAC,
among all registered users, and therefore without looking up the
username from the cookie key.
This allowed attackers to forge a cookie with a valid key but another
username, and therefore see the contents from other users.
| -rw-r--r-- | auth.c | 7 |
1 files changed, 5 insertions, 2 deletions
@@ -78,7 +78,8 @@ end: return ret; } -static int find_cookie(const cJSON *const users, const char *const cookie) +static int find_cookie(const cJSON *const users, const char *const username, + const char *const cookie) { const cJSON *u; @@ -99,6 +100,8 @@ static int find_cookie(const cJSON *const users, const char *const cookie) fprintf(stderr, "%s: missing key\n", __func__); return -1; } + else if (strcmp(name, username)) + continue; else if (hex_decode(key, dkey, sizeof dkey)) { fprintf(stderr, "%s: hex_decode failed\n", __func__); @@ -150,7 +153,7 @@ int auth_cookie(const struct auth *const a, const struct http_cookie *const c) fprintf(stderr, "%s: expected JSON array for users\n", __func__); goto end; } - else if ((ret = find_cookie(users, c->value)) < 0) + else if ((ret = find_cookie(users, c->field, c->value)) < 0) { fprintf(stderr, "%s: find_cookie failed\n", __func__); goto end; |