From 15e0542120e53c9fa4eede2ba971f02da706c0a8 Mon Sep 17 00:00:00 2001 From: "Earle F. Philhower, III" Date: Sat, 24 Oct 2020 14:35:59 -0700 Subject: [PATCH] Fix long password validation in WebServer Use a base64 encode that doesn't add CRs to the output when comparing username:password values for authentication. Fixes #7664 --- .../ESP8266WebServer/src/ESP8266WebServer-impl.h | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h b/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h index eed9cb945a..f18b8ae95c 100644 --- a/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h +++ b/libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h @@ -26,6 +26,7 @@ #include "WiFiClient.h" #include "ESP8266WebServer.h" #include "FS.h" +#include "base64.h" #include "detail/RequestHandlersImpl.h" static const char AUTHORIZATION_HEADER[] PROGMEM = "Authorization"; @@ -98,21 +99,19 @@ bool ESP8266WebServerTemplate::authenticate(const char * username, c authReq = ""; return false; } - char *encoded = new (std::nothrow) char[base64_encode_expected_len(toencodeLen)+1]; - if(encoded == NULL){ + sprintf(toencode, "%s:%s", username, password); + String encoded = base64::encode((uint8_t *)toencode, toencodeLen, false); + if(!encoded){ authReq = ""; delete[] toencode; return false; } - sprintf(toencode, "%s:%s", username, password); - if(base64_encode_chars(toencode, toencodeLen, encoded) > 0 && authReq.equalsConstantTime(encoded)) { + if(authReq.equalsConstantTime(encoded)) { authReq = ""; delete[] toencode; - delete[] encoded; return true; } delete[] toencode; - delete[] encoded; } else if(authReq.startsWith(F("Digest"))) { String _realm = _extractParam(authReq, F("realm=\"")); String _H1 = credentialHash((String)username,_realm,(String)password);