Fix integer length overflow in basic auth by dirkmueller · Pull Request #6946 · esp8266/Arduino
self-requested a review
dirkmueller
changed the title
Fix length overflow in username/password authentication
Fix integer length overflow in basic auth
dirkmueller added a commit to dirkmueller/Arduino that referenced this pull request
Sep 2, 2020
This is a followup of the discussion in esp8266#6946 (comment) to untangle the namespace/double inclusions in this library.
d-a-v pushed a commit that referenced this pull request
Sep 17, 2020
untangle the namespace/double inclusions in webserver library. This is a followup of the discussion in #6946 (comment)
The string lengths were added and then stored in "char" which is limited in values at most up to 255. Using size_t is a much more appropriate type. In addition the code was using base64 with newlines injected (easy to fall into that trap as the default is imho wrong), which means that anything longer than ~ 60 characters never matched and you had no way to authenticate against the server.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters