Chapril
/
xmpp.chapril.org-ejabberd
mirror of https://github.com/processone/ejabberd.git
24
1
Fork 0
Code Releases Activity

Reject request http_api request that have malformed Authentication header

This commit is contained in:
Paweł Chmielowski 2019-01-30 16:34:29 +01:00
parent 096b4a50e5
commit 56baa07d48
3 changed files with 27 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/ejabberd_http.erl
View File

@ -852,23 +852,23 @@ code_to_phrase(505) -> <<"HTTP Version Not Supported">>.
-spec parse_auth(binary()) -> {binary(), binary()} | {oauth, binary(), []} | undefined.
parse_auth(<<"Basic ", Auth64/binary>>) ->
Auth = try base64:decode(Auth64)
catch _:badarg -> <<>>
end,
%% Auth should be a string with the format: user@server:password
%% Note that password can contain additional characters '@' and ':'
case str:chr(Auth, $:) of
0 ->
undefined;
Pos ->
{User, <<$:, Pass/binary>>} = erlang:split_binary(Auth, Pos-1),
PassUtf8 = unicode:characters_to_binary(binary_to_list(Pass), utf8),
{User, PassUtf8}
try base64:decode(Auth64) of
Auth ->
case binary:split(Auth, <<":">>) of
[User, Pass] ->
PassUtf8 = unicode:characters_to_binary(Pass, utf8),
{User, PassUtf8};
_ ->
invalid
end
catch _:_ ->
invalid
end;
parse_auth(<<"Bearer ", SToken/binary>>) ->
Token = str:strip(SToken),
{oauth, Token, []};
parse_auth(<<_/binary>>) -> undefined.
parse_auth(<<_/binary>>) ->
invalid.
parse_urlencoded(S) ->
parse_urlencoded(S, nokey, <<>>, key).

1
src/ejabberd_web_admin.erl
View File

@ -254,6 +254,7 @@ get_auth_admin(Auth, HostHTTP, RPath, Method) ->
catch _:{bad_jid, _} ->
{unauthorized, <<"badformed-jid">>}
end;
invalid -> {unauthorized, <<"no-auth-provided">>};
undefined -> {unauthorized, <<"no-auth-provided">>}
end.

2
src/mod_http_api.erl
View File

@ -158,6 +158,8 @@ extract_auth(#request{auth = HTTPAuth, ip = {IP, _}, opts = Opts}) ->
{false, Reason} ->
{error, Reason}
end;
invalid ->
{error, invalid_auth};
_ ->
#{}
end,