Fix long password validation in WebServer (#7676)

Use a base64 encode that doesn't add CRs to the output when comparing username:password values for authentication. Fixes #7664
2025-04-19 23:22:16 +03:00 · 2020-10-25 04:03:02 -07:00 · 2020-10-25 04:03:02 -07:00 · c65626622a
commit c65626622a
parent 8d2f53d9a2
1 changed files with 5 additions and 6 deletions
--- a/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h
+++ b/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h
@ -26,6 +26,7 @@
 #include "WiFiClient.h"
 #include "ESP8266WebServer.h"
 #include "FS.h"
+#include "base64.h"
 #include "detail/RequestHandlersImpl.h"

 static const char AUTHORIZATION_HEADER[] PROGMEM = "Authorization";
@ -98,21 +99,19 @@ bool ESP8266WebServerTemplate<ServerType>::authenticate(const char * username, c
        authReq = "";
        return false;
      }
-      char *encoded = new (std::nothrow) char[base64_encode_expected_len(toencodeLen)+1];
-      if(encoded == NULL){
+      sprintf(toencode, "%s:%s", username, password);
+      String encoded = base64::encode((uint8_t *)toencode, toencodeLen, false);
+      if(!encoded){
        authReq = "";
        delete[] toencode;
        return false;
      }
-      sprintf(toencode, "%s:%s", username, password);
-      if(base64_encode_chars(toencode, toencodeLen, encoded) > 0 && authReq.equalsConstantTime(encoded)) {
+      if(authReq.equalsConstantTime(encoded)) {
        authReq = "";
        delete[] toencode;
-        delete[] encoded;
        return true;
      }
      delete[] toencode;
-      delete[] encoded;
    } else if(authReq.startsWith(F("Digest"))) {
      String _realm    = _extractParam(authReq, F("realm=\""));
      String _H1 = credentialHash((String)username,_realm,(String)password);