locked
ISAPI authentication filter problem RRS feed

  • Question

  • User193335039 posted

    I have written an authentication filter which performs non form based Basic authentication. The problem is once the authentication is done the page does not get displayed.

    //Code

    #include <stdio.h>
    #include <httpext.h>
    #include <httpfilt.h>
    #include <string.h>
    #define USERNAME "user"
    #define PASSWORD "pass"
    #define DOMAIN   "domain.com"
    #define BASIC_HDR   "Basic"
    #define FOURK_STR_SIZE    4*1024
    #define ONEK_STR_SIZE    1024


    DWORD WINAPI
    HttpFilterProc( PHTTP_FILTER_CONTEXT pfc,
            DWORD notificationType,
            VOID *pvNotification )
    {
        struct
        {
            char userpass[ONEK_STR_SIZE];
            char url[ONEK_STR_SIZE];
            char cookie[256];
        }*head;
        unsigned int cookielen;
        char domain[ONEK_STR_SIZE];
        DWORD urllen = sizeof(head->url);
        char str[ONEK_STR_SIZE];
        char *user = NULL;
        char *pass = NULL;
        char szBuffer [ FOURK_STR_SIZE + 1 ] = { 0 };
        char *userpass64;
        char userpassde[ONEK_STR_SIZE];
        char *up1;
        unsigned int userpassdelen;
        DWORD userpasslen;
       
        HTTP_FILTER_PREPROC_HEADERS *headers = (HTTP_FILTER_PREPROC_HEADERS *) pvNotification;
        HTTP_FILTER_SEND_RESPONSE *response = (HTTP_FILTER_SEND_RESPONSE *) pvNotification;

       
      switch(notificationType)
      {

       case SF_NOTIFY_PREPROC_HEADERS :

         
          OutputDebugString("SF_NOTIFY_PREPROC_HEADERS");
         
          if ( !pfc->pFilterContext )
            {
                pfc->pFilterContext = pfc->AllocMem( pfc, sizeof ( head ), 0 );
                if ( !pfc->pFilterContext )
                {
                    SetLastError( ERROR_NOT_ENOUGH_MEMORY );
                    return SF_STATUS_REQ_ERROR;
                }
            }
            head = pfc->pFilterContext;
            headers->GetHeader( pfc, "url", head->url,&urllen);
            headers->GetHeader( pfc, "Authorization:", head->userpass, &userpasslen );
            headers->GetHeader( pfc, "Cookie:", head->cookie, &cookielen );
          
            sprintf(str,"url is %s userpass is %s cookie is %s",head->url,head->userpass,head->cookie);
            OutputDebugString(str);
           sprintf(str,"url length is %d userpass length is %d  cookie length is %d",strlen(head->url),strlen(head->userpass), strlen(head->cookie));
            OutputDebugString(str);


        //break;

      case SF_NOTIFY_AUTHENTICATION:

          OutputDebugString("SF_NOTIFY_AUTHENTICATION");

         
          if ( !strcmp(head->cookie,"auth=Authenticated") )
             {
                OutputDebugString("Authentication completed");
                OutputDebugString("returning SF_STATUS_REQ_NEXT_NOTIFICATION");
                return SF_STATUS_REQ_NEXT_NOTIFICATION;
            }

        else //No cookie or cookie has auth=NotAuthenticated
        {
          OutputDebugString("cookie not equals auth=Authenticated");
         
          if(!strlen(head->userpass)==0) //Check whether username and password are being sent
          {
          OutputDebugString(str);
          OutputDebugString(head->userpass);
          userpass64 = (char*) malloc (strlen(head->userpass));
         
          userpass64=strchr(head->userpass,' '); //separating the base64 part from the rest of the string
          userpass64++;
          OutputDebugString(userpass64);
        

    // decoding the base64 username password

          b64_decode(userpass64,strlen(userpass64),userpassde,&userpassdelen); // Decoded string is stored in userpassde
         

          OutputDebugString(userpassde);//Output will be user:pass
          up1 = (char*) malloc (strlen(userpassde));
          strcpy(up1,userpassde);
         
          OutputDebugString(up1);
          user=strtok(userpassde,":");//Copy user into a string
         
          OutputDebugString(user);
          pass=strchr(up1,':');//Copy pass into a string
          pass++;//Remove : from the string
          OutputDebugString(pass);
         
           
          if( !strcmp( user, USERNAME ) && !strcmp( pass, PASSWORD ) )

            {
                //Every thing is perfect
                OutputDebugString("All conditions satisfied");
                pfc->AddResponseHeaders(pfc,"Set-Cookie: auth=Authenticated; path=/;\r\n", 0);
                OutputDebugString("returning SF_STATUS_REQ_NEXT_NOTIFICATION");
                return SF_STATUS_REQ_NEXT_NOTIFICATION;
            }
          }
            //All conditions have failed

                OutputDebugString("Wrong Username or password");

                sprintf(domain, "WWW-Authenticate: Basic realm=\"%s\"\r\n", DOMAIN);
                pfc->AddResponseHeaders(pfc,"Set-Cookie: auth=NotAuthenticated; path=/;\r\n", 0);
                pfc->ServerSupportFunction( pfc, SF_REQ_SEND_RESPONSE_HEADER,
                          (PVOID)   "401 Unauthorized",
                          (DWORD) domain,
                          (DWORD) NULL );

                OutputDebugString("returning SF_STATUS_REQ_FINISHED_KEEP_CONN");
                return SF_STATUS_REQ_FINISHED_KEEP_CONN;
           
        }
       
        break;


      default:
          break;

        }

       
        return SF_STATUS_REQ_NEXT_NOTIFICATION;

      }

    Debug Output :

    00000000    1:06:18 PM    [5924] SF_NOTIFY_PREPROC_HEADERS   
    00000001    1:06:18 PM    [5924] url is /index.htm userpass is  cookie is    
    00000002    1:06:18 PM    [5924] url length is 10 userpass length is 0  cookie length is 0   
    00000003    1:06:18 PM    [5924] SF_NOTIFY_AUTHENTICATION   
    00000004    1:06:18 PM    [5924] cookie not equals auth=Authenticated   
    00000005    1:06:18 PM    [5924] Wrong Username or password   
    00000006    1:06:18 PM    [5924] returning SF_STATUS_REQ_FINISHED_KEEP_CONN   
    00000007    1:06:23 PM    [5924] SF_NOTIFY_PREPROC_HEADERS   
    00000008    1:06:23 PM    [5924] url is /index.htm userpass is Basic dXNlcjpwYXNz cookie is auth=NotAuthenticated   
    00000009    1:06:23 PM    [5924] url length is 10 userpass length is 18  cookie length is 21   
    00000010    1:06:23 PM    [5924] SF_NOTIFY_AUTHENTICATION   
    00000011    1:06:23 PM    [5924] cookie not equals auth=Authenticated   
    00000012    1:06:23 PM    [5924] url length is 10 userpass length is 18  cookie length is 21   
    00000013    1:06:23 PM    [5924] Basic dXNlcjpwYXNz   
    00000014    1:06:23 PM    [5924] dXNlcjpwYXNz   
    00000015    1:06:23 PM    [5924] user:pass   
    00000016    1:06:23 PM    [5924] user:pass   
    00000017    1:06:23 PM    [5924] user   
    00000018    1:06:23 PM    [5924] pass   
    00000019    1:06:23 PM    [5924] All conditions satisfied   
    00000020    1:06:23 PM    [5924] returning SF_STATUS_REQ_NEXT_NOTIFICATION   
     

    Friday, December 7, 2007 5:04 AM

Answers

  • User511787461 posted

    Without reading the rest of your code, the below seems to be a bad bug

    pfc->pFilterContext = pfc->AllocMem( pfc, sizeof ( head ), 0 );

    ...

    head = pfc->pFilterContext;

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, December 7, 2007 5:16 PM
  • User193335039 posted

    Guess thats not the problem. Since i'm able to store and retrieve data using the head pointer as you might see in the debug statements

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, December 10, 2007 1:31 AM

All replies

  • User511787461 posted

    Without reading the rest of your code, the below seems to be a bad bug

    pfc->pFilterContext = pfc->AllocMem( pfc, sizeof ( head ), 0 );

    ...

    head = pfc->pFilterContext;

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, December 7, 2007 5:16 PM
  • User193335039 posted

    Guess thats not the problem. Since i'm able to store and retrieve data using the head pointer as you might see in the debug statements

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, December 10, 2007 1:31 AM
  • User511787461 posted

    Sorry for shouting but YOU ARE OVERRUNNING THE BUFFER ALLOCATED BY YOU - almost anything bad that you can think of can happen at this point.

    Monday, December 10, 2007 12:55 PM