From 439d146616f65815e277ee7a6a25f158facec123 Mon Sep 17 00:00:00 2001 From: Maxim Prokhorov Date: Thu, 21 Apr 2022 04:19:06 +0300 Subject: [PATCH 1/2] WebServer: use String when working with Basic authentication Avoid blowing up user code when `$user:$password` string is longer than 127 bytes. Use String to both manage the memory and handle concatenation. Also clean-up historical quicks such as - `authReq = "";` / `authReq = String();`, which will happen anyway - `(String)...` casts that happen anyway, implicitly --- .../src/ESP8266WebServer-impl.h | 31 ++++++++++--------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h b/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h index 6ae7b77938..9a8ab97623 100644 --- a/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h +++ b/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h @@ -102,31 +102,32 @@ bool ESP8266WebServerTemplate::authenticate(const char * username, c if(authReq.startsWith(F("Basic"))){ authReq = authReq.substring(6); authReq.trim(); - char toencodeLen = strlen(username)+strlen(password)+1; - char *toencode = new (std::nothrow) char[toencodeLen + 1]; - if(toencode == NULL){ - authReq = ""; + + const size_t username_len = strlen(username); + const size_t password_len = strlen(password); + + String raw; + raw.reserve(username_len + password_len + 1); + if(!raw.length()) { return false; } - sprintf(toencode, "%s:%s", username, password); - String encoded = base64::encode((uint8_t *)toencode, toencodeLen, false); - if(!encoded){ - authReq = ""; - delete[] toencode; + + raw.concat(username, username_len); + raw += ':'; + raw.concat(password, password_len); + + String encoded = base64::encode(raw, false); + if(!encoded.length()){ return false; } if(authReq.equalsConstantTime(encoded)) { - authReq = ""; - delete[] toencode; return true; } - delete[] toencode; } else if(authReq.startsWith(F("Digest"))) { String _realm = _extractParam(authReq, F("realm=\"")); - String _H1 = credentialHash((String)username,_realm,(String)password); - return authenticateDigest((String)username,_H1); + String _H1 = credentialHash(username,_realm,password); + return authenticateDigest(username,_H1); } - authReq = ""; } return false; } From f22e37c0ad4319e00e09c3dcc555f52251155315 Mon Sep 17 00:00:00 2001 From: Maxim Prokhorov Date: Thu, 21 Apr 2022 04:51:01 +0300 Subject: [PATCH 2/2] fixup! WebServer: use String when working with Basic authentication --- libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h b/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h index 9a8ab97623..6ffdbbd3b6 100644 --- a/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h +++ b/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h @@ -108,13 +108,12 @@ bool ESP8266WebServerTemplate::authenticate(const char * username, c String raw; raw.reserve(username_len + password_len + 1); - if(!raw.length()) { - return false; - } - raw.concat(username, username_len); raw += ':'; raw.concat(password, password_len); + if(!raw.length()) { + return false; + } String encoded = base64::encode(raw, false); if(!encoded.length()){