[FFmpeg-devel] [PATCH] avformat/httpauth: don't overwrite auth digest with unimplemented algorithm
Andriy Gelman
andriy.gelman at gmail.com
Sat Mar 13 07:05:24 EET 2021
On Sun, 07. Mar 18:14, Andriy Gelman wrote:
> From: Andriy Gelman <andriy.gelman at gmail.com>
>
> In rtsp/http authentication the server may provide several options for
> hash algorithms. This includes MD5, SHA2-256 and SHA2-512/256 (RFC 7616
> Section 3.7). Currently only support for MD5 is implemented in the auth code.
>
> If the SHA2 option follows the MD5 option in the server reply, the
> latter option will overwrite the MD5 auth info and the authorization
> will fail. This patch only overwrites the auth info if it's MD5.
>
> Fixes ticket #9127.
>
> Signed-off-by: Andriy Gelman <andriy.gelman at gmail.com>
> ---
>
> An alternative may be to add the SHA2 code to http auth. I can work on this if
> people think it's a better option.
>
> Also, I could only test that the MD5 option doesn't get overwritten by modifying
> server responses in gdb. I could not find an rtsp server that has the SHA2
> option as in #9127.
>
>
> libavformat/httpauth.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c
> index 4f79c78edc..0e57c5c3e5 100644
> --- a/libavformat/httpauth.c
> +++ b/libavformat/httpauth.c
> @@ -101,12 +101,21 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,
> state);
> } else if (av_stristart(value, "Digest ", &p) &&
> state->auth_type <= HTTP_AUTH_DIGEST) {
> + HTTPAuthState state_copy;
> + const char* algorithm;
> + memcpy(&state_copy, state, sizeof(state_copy));
> +
> state->auth_type = HTTP_AUTH_DIGEST;
> memset(&state->digest_params, 0, sizeof(DigestParams));
> state->realm[0] = 0;
> state->stale = 0;
> ff_parse_key_value(p, (ff_parse_key_val_cb) handle_digest_params,
> state);
> + algorithm = state->digest_params.algorithm;
> + if (strcmp(algorithm, "") && strcmp(algorithm, "MD5") && strcmp(algorithm, "MD5-sess")) {
> + memcpy(state, &state_copy, sizeof(state_copy));
> + return;
> + }
> choose_qop(state->digest_params.qop,
> sizeof(state->digest_params.qop));
> if (!av_strcasecmp(state->digest_params.stale, "true"))
> --
> 2.30.1
>
ping
--
Andriy
More information about the ffmpeg-devel
mailing list