From fb9b10275276ae4110e76fda6c897a6f11b31b0d Mon Sep 17 00:00:00 2001
From: Fredrik Tolf <fredrik@dolda2000.com>
Date: Thu, 7 Oct 2010 09:53:42 +0200
Subject: [PATCH] htextauth: Check credentials against control characters that
 might mess stuff up.

---
 src/htextauth.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/htextauth.c b/src/htextauth.c
index f20c776..1fbea07 100644
--- a/src/htextauth.c
+++ b/src/htextauth.c
@@ -162,6 +162,12 @@ static void serve(struct hthead *req, int fd)
     }
     memset(raw, 0, strlen(raw));
     headrmheader(req, "Authorization");
+    for(p = dec; *p; p++) {
+	if(*p < 32) {
+	    simpleerror(fd, 400, "Invalid request", "The authentication data is invalid.");
+	    goto out;
+	}
+    }
     if((p = strchr(dec, ':')) == NULL) {
 	simpleerror(fd, 400, "Invalid request", "The authentication data is invalid.");
 	goto out;
@@ -198,10 +204,6 @@ static int auth(struct hthead *req, int fd, char *user, char *pass)
     FILE *out;
     
     rv = 0;
-    if(strchr(user, '\n') || strchr(pass, '\n')) {
-	simpleerror(fd, 401, "Invalid authentication", "The supplied credentials are invalid.");
-	return(0);
-    }
     msg = "The supplied credentials are invalid.";
     pipe(pfd);
     pipe(efd);
-- 
2.11.0