Chapril/xmpp.chapril.org-ejabberd
24
1
Fork 0
mirror of https://github.com/processone/ejabberd.git synced 2024-06-10 21:47:01 +02:00
Code Releases Activity

Reject request http_api request that have malformed Authentication header

Browse Source
This commit is contained in:
Paweł Chmielowski 2019-01-30 16:34:29 +01:00
parent 096b4a50e5
commit 56baa07d48
3 changed files with 27 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/ejabberd_http.erl
View File

@ -852,23 +852,23 @@ code_to_phrase(505) -> <<"HTTP Version Not Supported">>.
-spec parse_auth(binary()) -> {binary(), binary()} | {oauth, binary(), []} | undefined. -spec parse_auth(binary()) -> {binary(), binary()} | {oauth, binary(), []} | undefined.
parse_auth(<<"Basic ", Auth64/binary>>) -> parse_auth(<<"Basic ", Auth64/binary>>) ->
Auth = try base64:decode(Auth64) try base64:decode(Auth64) of
catch _:badarg -> <<>> Auth ->
end, case binary:split(Auth, <<":">>) of
%% Auth should be a string with the format: user@server:password [User, Pass] ->
%% Note that password can contain additional characters '@' and ':' PassUtf8 = unicode:characters_to_binary(Pass, utf8),
case str:chr(Auth, $:) of {User, PassUtf8};
0 -> _ ->
undefined; invalid
Pos -> end
{User, <<$:, Pass/binary>>} = erlang:split_binary(Auth, Pos-1), catch _:_ ->
PassUtf8 = unicode:characters_to_binary(binary_to_list(Pass), utf8), invalid
{User, PassUtf8}
end; end;
parse_auth(<<"Bearer ", SToken/binary>>) -> parse_auth(<<"Bearer ", SToken/binary>>) ->
Token = str:strip(SToken), Token = str:strip(SToken),
{oauth, Token, []}; {oauth, Token, []};
parse_auth(<<_/binary>>) -> undefined. parse_auth(<<_/binary>>) ->
invalid.
parse_urlencoded(S) -> parse_urlencoded(S) ->
parse_urlencoded(S, nokey, <<>>, key). parse_urlencoded(S, nokey, <<>>, key).

1
src/ejabberd_web_admin.erl
View File

@ -254,6 +254,7 @@ get_auth_admin(Auth, HostHTTP, RPath, Method) ->
catch _:{bad_jid, _} -> catch _:{bad_jid, _} ->
{unauthorized, <<"badformed-jid">>} {unauthorized, <<"badformed-jid">>}
end; end;
invalid -> {unauthorized, <<"no-auth-provided">>};
undefined -> {unauthorized, <<"no-auth-provided">>} undefined -> {unauthorized, <<"no-auth-provided">>}
end. end.

2
src/mod_http_api.erl
View File

@ -158,6 +158,8 @@ extract_auth(#request{auth = HTTPAuth, ip = {IP, _}, opts = Opts}) ->
{false, Reason} -> {false, Reason} ->
{error, Reason} {error, Reason}
end; end;
invalid ->
{error, invalid_auth};
_ -> _ ->
#{} #{}
end, end,