commit 0f168f2beb607cbe681f1b37be5d92585fa7922b
parent 861828957b4b2004656de7eda4bc4f313a218277
Author: Christian Grothoff <christian@grothoff.org>
Date: Sat, 20 Nov 2021 23:37:44 +0100
fix #7034: URL decode authorization header token
Diffstat:
3 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/src/backend/taler-merchant-httpd.c b/src/backend/taler-merchant-httpd.c
@@ -154,22 +154,28 @@ TMH_check_auth (const char *token,
const struct GNUNET_HashCode *hash)
{
struct GNUNET_HashCode val;
+ char *dec;
+ size_t dec_len;
if (GNUNET_is_zero (hash))
return GNUNET_OK;
if (NULL == token)
return GNUNET_SYSERR;
+ dec_len = GNUNET_STRINGS_urldecode (token,
+ strlen (token),
+ &dec);
GNUNET_assert (GNUNET_YES ==
GNUNET_CRYPTO_kdf (&val,
sizeof (val),
salt,
sizeof (*salt),
- token,
- strlen (token),
+ dec,
+ dec_len,
"merchant-instance-auth",
strlen ("merchant-instance-auth"),
NULL,
0));
+ GNUNET_free (dec);
return (0 == GNUNET_memcmp (&val,
hash))
? GNUNET_OK
diff --git a/src/lib/merchant_api_post_instance_auth.c b/src/lib/merchant_api_post_instance_auth.c
@@ -174,11 +174,28 @@ TALER_MERCHANT_instance_auth_post (
}
else
{
+ char *enc;
+
+ if (0 != strncasecmp (RFC_8959_PREFIX,
+ auth_token,
+ strlen (RFC_8959_PREFIX)))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Authentication token must start with `%s'\n",
+ RFC_8959_PREFIX);
+ GNUNET_free (iaph->url);
+ GNUNET_free (iaph);
+ return NULL;
+ }
+ (void) GNUNET_STRINGS_urlencode (auth_token,
+ strlen (auth_token),
+ &enc);
req_obj = GNUNET_JSON_PACK (
GNUNET_JSON_pack_string ("method",
"token"),
GNUNET_JSON_pack_string ("token",
- auth_token));
+ enc));
+ GNUNET_free (enc);
}
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
"Requesting URL '%s'\n",
diff --git a/src/lib/merchant_api_post_instances.c b/src/lib/merchant_api_post_instances.c
@@ -182,6 +182,8 @@ TALER_MERCHANT_instances_post (
if (NULL != auth_token)
{
+ char *enc;
+
if (0 != strncasecmp (RFC_8959_PREFIX,
auth_token,
strlen (RFC_8959_PREFIX)))
@@ -191,11 +193,15 @@ TALER_MERCHANT_instances_post (
RFC_8959_PREFIX);
return NULL;
}
+ (void) GNUNET_STRINGS_urlencode (auth_token,
+ strlen (auth_token),
+ &enc);
auth_obj = GNUNET_JSON_PACK (
GNUNET_JSON_pack_string ("method",
"token"),
GNUNET_JSON_pack_string ("token",
- auth_token));
+ enc));
+ GNUNET_free (enc);
}
else
{
