call*cgi: Added the REMOTE_USER CGI variable, as a mapping from X-Ash-Remote-User.

[ashd.git] / src / htextauth.c

diff --git a/src/htextauth.c b/src/htextauth.c
index 27217e0..1fbea07 100644 (file)
--- a/src/htextauth.c
+++ b/src/htextauth.c
@@ -147,11 +147,11 @@ static void serve(struct hthead *req, int fd)
     size_t declen;
     
     now = time(NULL);
+    dec = NULL;
     if(reqssl && (((raw = getheader(req, "X-Ash-Protocol")) == NULL) || strcmp(raw, "https"))) {
        simpleerror(fd, 403, "Forbidden", "The requested resource must be requested over HTTPS.");
        goto out;
     }
-    dec = NULL;
     if(((raw = getheader(req, "Authorization")) == NULL) || strncasecmp(raw, "basic ", 6)) {
        reqauth(req, fd);
        goto out;
@@ -162,6 +162,12 @@ static void serve(struct hthead *req, int fd)
     }
     memset(raw, 0, strlen(raw));
     headrmheader(req, "Authorization");
+    for(p = dec; *p; p++) {
+       if(*p < 32) {
+           simpleerror(fd, 400, "Invalid request", "The authentication data is invalid.");
+           goto out;
+       }
+    }
     if((p = strchr(dec, ':')) == NULL) {
        simpleerror(fd, 400, "Invalid request", "The authentication data is invalid.");
        goto out;
@@ -198,10 +204,6 @@ static int auth(struct hthead *req, int fd, char *user, char *pass)
     FILE *out;
     
     rv = 0;
-    if(strchr(user, '\n') || strchr(pass, '\n')) {
-       simpleerror(fd, 401, "Invalid authentication", "The supplied credentials are invalid.");
-       return(0);
-    }
     msg = "The supplied credentials are invalid.";
     pipe(pfd);
     pipe(efd);