[FFmpeg-devel] [PATCH] avformat/httpauth: don't overwrite auth digest with unimplemented algorithm

Sat Mar 13 07:05:24 EET 2021

On Sun, 07. Mar 18:14, Andriy Gelman wrote:
> From: Andriy Gelman <andriy.gelman at gmail.com>
> 
> In rtsp/http authentication the server may provide several options for
> hash algorithms. This includes MD5, SHA2-256 and SHA2-512/256 (RFC 7616
> Section 3.7). Currently only support for MD5 is implemented in the auth code.
> 
> If the SHA2 option follows the MD5 option in the server reply, the
> latter option will overwrite the MD5 auth info and the authorization
> will fail.  This patch only overwrites the auth info if it's MD5.
> 
> Fixes ticket #9127.
> 
> Signed-off-by: Andriy Gelman <andriy.gelman at gmail.com>
> ---
> 
> An alternative may be to add the SHA2 code to http auth. I can work on this if
> people think it's a better option.
> 
> Also, I could only test that the MD5 option doesn't get overwritten by modifying
> server responses in gdb. I could not find an rtsp server that has the SHA2
> option as in #9127. 
> 
> 
>  libavformat/httpauth.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c
> index 4f79c78edc..0e57c5c3e5 100644
> --- a/libavformat/httpauth.c
> +++ b/libavformat/httpauth.c
> @@ -101,12 +101,21 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,
>                                 state);
>          } else if (av_stristart(value, "Digest ", &p) &&
>                     state->auth_type <= HTTP_AUTH_DIGEST) {
> +            HTTPAuthState state_copy;
> +            const char* algorithm;
> +            memcpy(&state_copy, state, sizeof(state_copy));
> +
>              state->auth_type = HTTP_AUTH_DIGEST;
>              memset(&state->digest_params, 0, sizeof(DigestParams));
>              state->realm[0] = 0;
>              state->stale = 0;
>              ff_parse_key_value(p, (ff_parse_key_val_cb) handle_digest_params,
>                                 state);
> +            algorithm = state->digest_params.algorithm;
> +            if (strcmp(algorithm, "") && strcmp(algorithm, "MD5") && strcmp(algorithm, "MD5-sess")) {
> +                memcpy(state, &state_copy, sizeof(state_copy));
> +                return;
> +            }
>              choose_qop(state->digest_params.qop,
>                         sizeof(state->digest_params.qop));
>              if (!av_strcasecmp(state->digest_params.stale, "true"))
> -- 
> 2.30.1
> 

ping

-- 
Andriy