[mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)

git-svn-id: svn://svn.lighttpd.net/lighttpd/trunk@2807 152afb58-edef-0310-8abb-c4023f1b3aa9

3 files changed, 11 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index cc132af0..421280be 100644
--- a/NEWS
+++ b/NEWS
@@ -170,6 +170,7 @@ NEWS
   * Read hostname from absolute https:// uris in the request line (patch by Adrian Schröter <adrian@suse.de>)
   * [ssl/md5] prefix our own md5 implementation with li_ so it doesn't conflict with the openssl one (fixes #2269)
   * Enable linux-aio-sendfile for testing in autotools too
+  * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)
 
 - 1.5.0-r19.. -
   * -F option added for spawn-fcgi
diff --git a/src/http_auth.c b/src/http_auth.c
index 70767139..2d6180e2 100644
--- a/src/http_auth.c
+++ b/src/http_auth.c
@@ -104,7 +104,7 @@ static unsigned char * base64_decode(buffer *out, const char *in) {
 	ch = in[0];
 	/* run through the whole string, converting as we go */
 	for (i = 0; i < in_len; i++) {
-		ch = in[i];
+		ch = (unsigned char) in[i];
 
 		if (ch == '\0') break;
 
diff --git a/tests/mod-auth.t b/tests/mod-auth.t
index 69efa0aa..6e5d5893 100755
--- a/tests/mod-auth.t
+++ b/tests/mod-auth.t
@@ -8,7 +8,7 @@ BEGIN {
 
 use strict;
 use IO::Socket;
-use Test::More tests => 13;
+use Test::More tests => 14;
 use LightyTest;
 
 my $tf = LightyTest->new();
@@ -25,6 +25,14 @@ ok($tf->handle_http($t) == 0, 'Missing Auth-token');
 
 $t->{REQUEST}  = ( <<EOF
 GET /server-status HTTP/1.0
+Authorization: Basic \x80mFuOmphb
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
+ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token');
+
+$t->{REQUEST}  = ( <<EOF
+GET /server-status HTTP/1.0
 Authorization: Basic amFuOmphb
 EOF
  );