diff options
| author | Christian Grothoff <christian@grothoff.org> | 2021-11-20 23:37:44 +0100 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2021-11-20 23:37:44 +0100 |
| commit | 0f168f2beb607cbe681f1b37be5d92585fa7922b (patch) | |
| tree | df350c1adadfc5035966f1d4234f5698571bba38 /src | |
| parent | 861828957b4b2004656de7eda4bc4f313a218277 (diff) | |
| download | merchant-0f168f2beb607cbe681f1b37be5d92585fa7922b.tar.gz merchant-0f168f2beb607cbe681f1b37be5d92585fa7922b.tar.bz2 merchant-0f168f2beb607cbe681f1b37be5d92585fa7922b.zip | |
fix #7034: URL decode authorization header token
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/taler-merchant-httpd.c | 10 | ||||
| -rw-r--r-- | src/lib/merchant_api_post_instance_auth.c | 19 | ||||
| -rw-r--r-- | src/lib/merchant_api_post_instances.c | 8 |
3 files changed, 33 insertions, 4 deletions
diff --git a/src/backend/taler-merchant-httpd.c b/src/backend/taler-merchant-httpd.c index 73d3327f..727a982e 100644 --- a/src/backend/taler-merchant-httpd.c +++ b/src/backend/taler-merchant-httpd.c @@ -154,22 +154,28 @@ TMH_check_auth (const char *token, const struct GNUNET_HashCode *hash) { struct GNUNET_HashCode val; + char *dec; + size_t dec_len; if (GNUNET_is_zero (hash)) return GNUNET_OK; if (NULL == token) return GNUNET_SYSERR; + dec_len = GNUNET_STRINGS_urldecode (token, + strlen (token), + &dec); GNUNET_assert (GNUNET_YES == GNUNET_CRYPTO_kdf (&val, sizeof (val), salt, sizeof (*salt), - token, - strlen (token), + dec, + dec_len, "merchant-instance-auth", strlen ("merchant-instance-auth"), NULL, 0)); + GNUNET_free (dec); return (0 == GNUNET_memcmp (&val, hash)) ? GNUNET_OK diff --git a/src/lib/merchant_api_post_instance_auth.c b/src/lib/merchant_api_post_instance_auth.c index 382e9c42..e2936c5c 100644 --- a/src/lib/merchant_api_post_instance_auth.c +++ b/src/lib/merchant_api_post_instance_auth.c @@ -174,11 +174,28 @@ TALER_MERCHANT_instance_auth_post ( } else { + char *enc; + + if (0 != strncasecmp (RFC_8959_PREFIX, + auth_token, + strlen (RFC_8959_PREFIX))) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Authentication token must start with `%s'\n", + RFC_8959_PREFIX); + GNUNET_free (iaph->url); + GNUNET_free (iaph); + return NULL; + } + (void) GNUNET_STRINGS_urlencode (auth_token, + strlen (auth_token), + &enc); req_obj = GNUNET_JSON_PACK ( GNUNET_JSON_pack_string ("method", "token"), GNUNET_JSON_pack_string ("token", - auth_token)); + enc)); + GNUNET_free (enc); } GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Requesting URL '%s'\n", diff --git a/src/lib/merchant_api_post_instances.c b/src/lib/merchant_api_post_instances.c index 0fa7063f..19104aa5 100644 --- a/src/lib/merchant_api_post_instances.c +++ b/src/lib/merchant_api_post_instances.c @@ -182,6 +182,8 @@ TALER_MERCHANT_instances_post ( if (NULL != auth_token) { + char *enc; + if (0 != strncasecmp (RFC_8959_PREFIX, auth_token, strlen (RFC_8959_PREFIX))) @@ -191,11 +193,15 @@ TALER_MERCHANT_instances_post ( RFC_8959_PREFIX); return NULL; } + (void) GNUNET_STRINGS_urlencode (auth_token, + strlen (auth_token), + &enc); auth_obj = GNUNET_JSON_PACK ( GNUNET_JSON_pack_string ("method", "token"), GNUNET_JSON_pack_string ("token", - auth_token)); + enc)); + GNUNET_free (enc); } else { |