arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-06-06 05:21:22 +03:00
Code

WebServer: use String when working with Basic authentication (#8548)

Browse Source 
Avoid blowing up user code when `$user:$password` string is longer than
127 bytes. Use String to both manage the memory and handle concatenation.

Also clean-up historical quicks such as
- `if(StringObject)` that is always true since we implemented SSO
- `authReq = "";` / `authReq = String();`, which will happen anyway
- `(String)...` casts that happen anyway, implicitly (and which is also not a 'cast' btw, we do init it)
This commit is contained in:
Max Prokhorov 2022-04-30 18:25:42 +03:00 committed by GitHub
parent f149d7b70e
commit 1a49a0449b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h
View File

@ -102,31 +102,31 @@ bool ESP8266WebServerTemplate<ServerType>::authenticate(const char * username, c
if(authReq.startsWith(F("Basic"))){
authReq = authReq.substring(6);
authReq.trim();
char toencodeLen = strlen(username)+strlen(password)+1;
char *toencode = new (std::nothrow) char[toencodeLen + 1];
if(toencode == NULL){
authReq = "";
const size_t username_len = strlen(username);
const size_t password_len = strlen(password);
String raw;
raw.reserve(username_len + password_len + 1);
raw.concat(username, username_len);
raw += ':';
raw.concat(password, password_len);
if(!raw.length()) {
return false;
}
sprintf(toencode, "%s:%s", username, password);
String encoded = base64::encode((uint8_t *)toencode, toencodeLen, false);
if(!encoded){
authReq = "";
delete[] toencode;
String encoded = base64::encode(raw, false);
if(!encoded.length()){
return false;
}
if(authReq.equalsConstantTime(encoded)) {
authReq = "";
delete[] toencode;
return true;
}
delete[] toencode;
} else if(authReq.startsWith(F("Digest"))) {
String _realm = _extractParam(authReq, F("realm=\""));
String _H1 = credentialHash((String)username,_realm,(String)password);
return authenticateDigest((String)username,_H1);
String _H1 = credentialHash(username,_realm,password);
return authenticateDigest(username,_H1);
}
authReq = "";
}
return false;
}