mirror of
https://github.com/esphome/esphome.git
synced 2025-09-01 10:52:19 +01:00
Merge commit from fork
Ensures auth check doesn't pass erroneously when the client-supplied digest is shorter than the correct digest, but happens to match a prefix of the correct value (e.g., same username + certain substrings of the password).
This commit is contained in:
committed by
Jesse Hills
parent
d071a074ef
commit
2aceb56606
@@ -253,7 +253,7 @@ bool AsyncWebServerRequest::authenticate(const char *username, const char *passw
|
||||
esp_crypto_base64_encode(reinterpret_cast<uint8_t *>(digest.get()), n, &out,
|
||||
reinterpret_cast<const uint8_t *>(user_info.c_str()), user_info.size());
|
||||
|
||||
return strncmp(digest.get(), auth_str + auth_prefix_len, auth.value().size() - auth_prefix_len) == 0;
|
||||
return strcmp(digest.get(), auth_str + auth_prefix_len) == 0;
|
||||
}
|
||||
|
||||
void AsyncWebServerRequest::requestAuthentication(const char *realm) const {
|
||||
|
Reference in New Issue
Block a user