diff options
author | Florian Dold <florian@dold.me> | 2021-03-02 20:03:17 +0100 |
---|---|---|
committer | Florian Dold <florian@dold.me> | 2021-03-02 20:03:17 +0100 |
commit | 66f6cf25d499b97a5a8811ca34ab72f096dd31d4 (patch) | |
tree | a605f6cedf52f71b5d0566746621478ce3fe0bc2 /src/backend/taler-merchant-httpd.c | |
parent | 7075d07b688893410c79b515ecb724af53787eda (diff) | |
download | merchant-66f6cf25d499b97a5a8811ca34ab72f096dd31d4.tar.gz merchant-66f6cf25d499b97a5a8811ca34ab72f096dd31d4.tar.bz2 merchant-66f6cf25d499b97a5a8811ca34ab72f096dd31d4.zip |
fix Authorization header parsing
Diffstat (limited to 'src/backend/taler-merchant-httpd.c')
-rw-r--r-- | src/backend/taler-merchant-httpd.c | 53 |
1 files changed, 37 insertions, 16 deletions
diff --git a/src/backend/taler-merchant-httpd.c b/src/backend/taler-merchant-httpd.c index 0690e621..77dedaae 100644 --- a/src/backend/taler-merchant-httpd.c +++ b/src/backend/taler-merchant-httpd.c @@ -960,6 +960,35 @@ TMH_add_instance (struct TMH_MerchantInstance *mi) return ret; } +/** + * Extract the token from authorization header value @a auth. + * + * @param auth pointer to authorization header value, + * will be updated to point to the start of the token + * or set to NULL if header value is invalid + */ +static void +extract_token (const char **auth) +{ + const char *bearer = "Bearer "; + const char *tok = *auth; + if (0 != strncmp (tok, bearer, strlen (bearer))) + { + *auth = NULL; + return; + } + tok = tok + strlen (bearer); + while (' ' == *tok) + tok++; + if (0 != strncasecmp (tok, + RFC_8959_PREFIX, + strlen (RFC_8959_PREFIX))) + { + *auth = NULL; + return; + } + *auth = tok; +} /** * A client has requested the given url using the given method @@ -1654,23 +1683,15 @@ url_handler (void *cls, MHD_HTTP_HEADER_AUTHORIZATION); if (NULL != auth) { - if (0 != strncasecmp (auth, - RFC_8959_PREFIX, - strlen (RFC_8959_PREFIX))) - { - /* We _only_ complain about malformed auth headers if - authorization was truly required (#6737). This helps - in case authorization was disabled in the backend - because some reverse proxy is already doing it, and - then that reverse proxy may forward malformed auth - headers to the backend. */ + /* We _only_ complain about malformed auth headers if + authorization was truly required (#6737). This helps + in case authorization was disabled in the backend + because some reverse proxy is already doing it, and + then that reverse proxy may forward malformed auth + headers to the backend. */ + extract_token (&auth); + if (NULL == auth) auth_malformed = true; - auth = NULL; - } - else - { - auth += strlen (RFC_8959_PREFIX); - } } /* Are the credentials provided OK for the default instance? |