[FFmpeg-devel] [PATCH] avformat/httpauth: don't overwrite auth digest with unimplemented algorithm

Sun, 07 Mar 2021 15:22:27 -0800 

From: Andriy Gelman <andriy.gel...@gmail.com>

In rtsp/http authentication the server may provide several options for
hash algorithms. This includes MD5, SHA2-256 and SHA2-512/256 (RFC 7616
Section 3.7). Currently only support for MD5 is implemented in the auth code.

If the SHA2 option follows the MD5 option in the server reply, the
latter option will overwrite the MD5 auth info and the authorization
will fail.  This patch only overwrites the auth info if it's MD5.

Fixes ticket #9127.

Signed-off-by: Andriy Gelman <andriy.gel...@gmail.com>
---

An alternative may be to add the SHA2 code to http auth. I can work on this if
people think it's a better option.

Also, I could only test that the MD5 option doesn't get overwritten by modifying
server responses in gdb. I could not find an rtsp server that has the SHA2
option as in #9127. 


 libavformat/httpauth.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c
index 4f79c78edc..0e57c5c3e5 100644
--- a/libavformat/httpauth.c
+++ b/libavformat/httpauth.c
@@ -101,12 +101,21 @@ void ff_http_auth_handle_header(HTTPAuthState *state, 
const char *key,
                                state);
         } else if (av_stristart(value, "Digest ", &p) &&
                    state->auth_type <= HTTP_AUTH_DIGEST) {
+            HTTPAuthState state_copy;
+            const char* algorithm;
+            memcpy(&state_copy, state, sizeof(state_copy));
+
             state->auth_type = HTTP_AUTH_DIGEST;
             memset(&state->digest_params, 0, sizeof(DigestParams));
             state->realm[0] = 0;
             state->stale = 0;
             ff_parse_key_value(p, (ff_parse_key_val_cb) handle_digest_params,
                                state);
+            algorithm = state->digest_params.algorithm;
+            if (strcmp(algorithm, "") && strcmp(algorithm, "MD5") && 
strcmp(algorithm, "MD5-sess")) {
+                memcpy(state, &state_copy, sizeof(state_copy));
+                return;
+            }
             choose_qop(state->digest_params.qop,
                        sizeof(state->digest_params.qop));
             if (!av_strcasecmp(state->digest_params.stale, "true"))
-- 
2.30.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to