[FFmpeg-devel] [PATCH] avformat/httpauth: don't overwrite auth digest with unimplemented algorithm
Andriy Gelman
andriy.gelman at gmail.com
Mon Mar 8 01:14:58 EET 2021
From: Andriy Gelman <andriy.gelman at gmail.com>
In rtsp/http authentication the server may provide several options for
hash algorithms. This includes MD5, SHA2-256 and SHA2-512/256 (RFC 7616
Section 3.7). Currently only support for MD5 is implemented in the auth code.
If the SHA2 option follows the MD5 option in the server reply, the
latter option will overwrite the MD5 auth info and the authorization
will fail. This patch only overwrites the auth info if it's MD5.
Fixes ticket #9127.
Signed-off-by: Andriy Gelman <andriy.gelman at gmail.com>
---
An alternative may be to add the SHA2 code to http auth. I can work on this if
people think it's a better option.
Also, I could only test that the MD5 option doesn't get overwritten by modifying
server responses in gdb. I could not find an rtsp server that has the SHA2
option as in #9127.
libavformat/httpauth.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c
index 4f79c78edc..0e57c5c3e5 100644
--- a/libavformat/httpauth.c
+++ b/libavformat/httpauth.c
@@ -101,12 +101,21 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,
state);
} else if (av_stristart(value, "Digest ", &p) &&
state->auth_type <= HTTP_AUTH_DIGEST) {
+ HTTPAuthState state_copy;
+ const char* algorithm;
+ memcpy(&state_copy, state, sizeof(state_copy));
+
state->auth_type = HTTP_AUTH_DIGEST;
memset(&state->digest_params, 0, sizeof(DigestParams));
state->realm[0] = 0;
state->stale = 0;
ff_parse_key_value(p, (ff_parse_key_val_cb) handle_digest_params,
state);
+ algorithm = state->digest_params.algorithm;
+ if (strcmp(algorithm, "") && strcmp(algorithm, "MD5") && strcmp(algorithm, "MD5-sess")) {
+ memcpy(state, &state_copy, sizeof(state_copy));
+ return;
+ }
choose_qop(state->digest_params.qop,
sizeof(state->digest_params.qop));
if (!av_strcasecmp(state->digest_params.stale, "true"))
--
2.30.1
More information about the ffmpeg-devel
mailing list