From 4dcd4d47cc717b37844dbe7f01485f9a0662a964 Mon Sep 17 00:00:00 2001 From: Xavier Del Campo Romero Date: Thu, 2 Oct 2025 11:32:02 +0200 Subject: auth.c: Fix missing username check So far, auth_login was looking for a key that matched the expected HMAC, among all registered users, and therefore without looking up the username from the cookie key. This allowed attackers to forge a cookie with a valid key but another username, and therefore see the contents from other users. --- auth.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/auth.c b/auth.c index 9b6e2de..790267a 100644 --- a/auth.c +++ b/auth.c @@ -78,7 +78,8 @@ end: return ret; } -static int find_cookie(const cJSON *const users, const char *const cookie) +static int find_cookie(const cJSON *const users, const char *const username, + const char *const cookie) { const cJSON *u; @@ -99,6 +100,8 @@ static int find_cookie(const cJSON *const users, const char *const cookie) fprintf(stderr, "%s: missing key\n", __func__); return -1; } + else if (strcmp(name, username)) + continue; else if (hex_decode(key, dkey, sizeof dkey)) { fprintf(stderr, "%s: hex_decode failed\n", __func__); @@ -150,7 +153,7 @@ int auth_cookie(const struct auth *const a, const struct http_cookie *const c) fprintf(stderr, "%s: expected JSON array for users\n", __func__); goto end; } - else if ((ret = find_cookie(users, c->value)) < 0) + else if ((ret = find_cookie(users, c->field, c->value)) < 0) { fprintf(stderr, "%s: find_cookie failed\n", __func__); goto end; -- cgit v1.2.3