rsync - Mar 2006 - DO NOT REPLY [Bug 3584] New: base64 function does not pad output correctly

https://bugzilla.samba.org/show_bug.cgi?id=3584

           Summary: base64 function does not pad output correctly
           Product: rsync
           Version: 2.6.6
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: core
        AssignedTo: wayned@samba.org
        ReportedBy: mathijs@crooked.net
         QAContact: rsync-qa@samba.org


The base64 function in authenticate.c does not correcly pad the output data.
This can easily be seen by having it encode N bytes of data, where N is -not- a
multiple of 3. For instance:

base64("123")  == "MTIz"   (correct value: "MTIz")
base64("1234") == "MTIzNA" (correct value:
"MTIzNA==")

Because of this bug, HTTP Basic authentication may not work correctly,
depending on the length of the username and password.

The patch below fixes this problem.

----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----

--- rsync-2.6.6/authenticate.c-orig     2006-03-06 11:10:23.000000000 +0100
+++ rsync-2.6.6/authenticate.c  2006-03-06 11:10:54.000000000 +0100
@@ -49,6 +49,9 @@
                }
                out[i] = b64[idx];
        }
+
+       while ((i % 4) > 0)
+               out[i++] = '=';
 }

 /* Generate a challenge buffer and return it base64-encoded. */


-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

https://bugzilla.samba.org/show_bug.cgi?id=3584





------- Comment #1 from mathijs@crooked.net  2006-03-06 05:21 MST -------
Created an attachment (id=1775)
 --> (https://bugzilla.samba.org/attachment.cgi?id=1775&action=view)
Patch for base64 in authenticate.c


-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

https://bugzilla.samba.org/show_bug.cgi?id=3584


wayned@samba.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Comment #2 from wayned@samba.org  2006-03-06 12:33 MST -------
Your change would also affect the password authentication that a daemon rsync
performs, making daemons/clients incompatible with older clients/daemons. 
Also, your code failed to null-terminate the padded value.

I've checked-in an improved version that lets the caller choose if they want
padding or not.  This ensures that only the Proxy-Authentication header is
affected by this change.

Thanks for your help.


-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.