undertow/CVE-2017-12196-2.patch

From 8804170ce3186bdd83b486959399ec7ac0f59d0f Mon Sep 17 00:00:00 2001
From: Stuart Douglas <stuart.w.douglas@gmail.com>
Date: Mon, 11 Dec 2017 10:51:51 +1100
Subject: [PATCH] UNDERTOW-1190 handle absolute URI in the digest mechanism

---
 .../impl/DigestAuthenticationMechanism.java    | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java b/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java
index e01724b44b..972a0cb0e4 100644
--- a/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java
+++ b/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java
@@ -239,10 +239,20 @@ private AuthenticationMechanismOutcome handleDigestHeader(HttpServerExchange exc
                 requestURI = requestURI + "?" + exchange.getQueryString();
             }
             if(!uri.equals(requestURI)) {
-                //just end the auth process
-                exchange.setStatusCode(StatusCodes.BAD_REQUEST);
-                exchange.endExchange();
-                return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
+                //it is possible we were given an absolute URI
+                //we reconstruct the URI from the host header to make sure they match up
+                //I am not sure if this is overly strict, however I think it is better
+                //to be safe than sorry
+                requestURI = exchange.getRequestURL();
+                if(!exchange.getQueryString().isEmpty()) {
+                    requestURI = requestURI + "?" + exchange.getQueryString();
+                }
+                if(!uri.equals(requestURI)) {
+                    //just end the auth process
+                    exchange.setStatusCode(StatusCodes.BAD_REQUEST);
+                    exchange.endExchange();
+                    return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
+                }
             }
         } else {
             return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
Fix CVE-2017-12196,CVE-2019-10184 and CVE-2019-10212 (cherry picked from commit 329cb3a1e2aa3f6f9845ab228d2034edbb7a53f4) 2025-03-03 17:59:33 +08:00			`From 8804170ce3186bdd83b486959399ec7ac0f59d0f Mon Sep 17 00:00:00 2001`
			`From: Stuart Douglas <stuart.w.douglas@gmail.com>`
			`Date: Mon, 11 Dec 2017 10:51:51 +1100`
			`Subject: [PATCH] UNDERTOW-1190 handle absolute URI in the digest mechanism`

			`---`
			`.../impl/DigestAuthenticationMechanism.java \| 18 ++++++++++++++----`
			`1 file changed, 14 insertions(+), 4 deletions(-)`

			`diff --git a/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java b/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java`
			`index e01724b44b..972a0cb0e4 100644`
			`--- a/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java`
			`+++ b/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java`
			`@@ -239,10 +239,20 @@ private AuthenticationMechanismOutcome handleDigestHeader(HttpServerExchange exc`
			`requestURI = requestURI + "?" + exchange.getQueryString();`
			`}`
			`if(!uri.equals(requestURI)) {`
			`- //just end the auth process`
			`- exchange.setStatusCode(StatusCodes.BAD_REQUEST);`
			`- exchange.endExchange();`
			`- return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;`
			`+ //it is possible we were given an absolute URI`
			`+ //we reconstruct the URI from the host header to make sure they match up`
			`+ //I am not sure if this is overly strict, however I think it is better`
			`+ //to be safe than sorry`
			`+ requestURI = exchange.getRequestURL();`
			`+ if(!exchange.getQueryString().isEmpty()) {`
			`+ requestURI = requestURI + "?" + exchange.getQueryString();`
			`+ }`
			`+ if(!uri.equals(requestURI)) {`
			`+ //just end the auth process`
			`+ exchange.setStatusCode(StatusCodes.BAD_REQUEST);`
			`+ exchange.endExchange();`
			`+ return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;`
			`+ }`
			`}`
			`} else {`
			`return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;`