Skip to content

Commit 59ed4f9

Browse files
fitzyjoefitzyjoe
committed
Fix possible overflow - thanks @eutychus
@eutychus contributed this fix that checks to make sure that the Authorization header contains at least "Bearer: "
1 parent 758ff80 commit 59ed4f9

File tree

2 files changed

+13
-5
lines changed

2 files changed

+13
-5
lines changed

src/ngx_http_auth_jwt_module.c

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -413,6 +413,7 @@ static char * getJwt(ngx_http_request_t *r, ngx_str_t auth_jwt_validation_type)
413413
char* jwtCookieValChrPtr = NULL;
414414
ngx_str_t jwtCookieVal;
415415
ngx_int_t n;
416+
ngx_int_t bearer_length;
416417
ngx_str_t authorizationHeaderStr;
417418

418419
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "auth_jwt_validation_type.len %d", auth_jwt_validation_type.len);
@@ -425,12 +426,17 @@ static char * getJwt(ngx_http_request_t *r, ngx_str_t auth_jwt_validation_type)
425426
{
426427
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "Found authorization header len %d", authorizationHeader->value.len);
427428

428-
authorizationHeaderStr.data = authorizationHeader->value.data + sizeof("Bearer ") - 1;
429-
authorizationHeaderStr.len = authorizationHeader->value.len - (sizeof("Bearer ") - 1);
429+
bearer_length = authorizationHeader->value.len - (sizeof("Bearer ") - 1);
430430

431-
jwtCookieValChrPtr = ngx_str_t_to_char_ptr(r->pool, authorizationHeaderStr);
431+
if (bearer_length > 0)
432+
{
433+
authorizationHeaderStr.data = authorizationHeader->value.data + sizeof("Bearer ") - 1;
434+
authorizationHeaderStr.len = bearer_length;
435+
436+
jwtCookieValChrPtr = ngx_str_t_to_char_ptr(r->pool, authorizationHeaderStr);
432437

433-
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "Authorization header: %s", jwtCookieValChrPtr);
438+
ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "Authorization header: %s", jwtCookieValChrPtr);
439+
}
434440
}
435441
}
436442
else if (auth_jwt_validation_type.len > sizeof("COOKIE=") && ngx_strncmp(auth_jwt_validation_type.data, "COOKIE=", sizeof("COOKIE=") - 1)==0)

test.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ main() {
3636

3737
test_jwt "Secure test without jwt auth header" "/secure-auth-header/" "302"
3838

39+
test_jwt "Secure test with jwt auth header missing Bearer" "/secure-no-redirect/" "401" "--header \"Authorization: X\""
40+
3941
test_jwt "Secure test without jwt auth header" "/secure-no-redirect/" "401"
4042

4143
test_jwt "Secure test with jwt cookie - with no sub" "/secure/" "200" " --cookie \"rampartjwt=${MISSING_SUB_JWT}\""
@@ -45,4 +47,4 @@ main() {
4547
test_jwt "Secure test with rs256 jwt cookie" "/secure-rs256/" "200" " --cookie \"rampartjwt=${VALID_RS256_JWT}\""
4648
}
4749

48-
main "$@"
50+
main "$@"

0 commit comments

Comments
 (0)