From 0dc9280e94ced62ebe6f5206616540764d6afe2f Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Fri, 14 Jul 2017 22:30:17 +0000 Subject: [PATCH] CVE-2017-9788: add unit tests for get_digest_rec() Including the module source is a dirty hack, but maybe the direct way is best for now. More functional tests are still TODO. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/httpdunit@1801996 13f79535-47bb-0310-9956-ffa450edef68 --- test/unit/mod_auth_digest.c | 107 ++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 test/unit/mod_auth_digest.c diff --git a/test/unit/mod_auth_digest.c b/test/unit/mod_auth_digest.c new file mode 100644 index 0000000000..0d55b26269 --- /dev/null +++ b/test/unit/mod_auth_digest.c @@ -0,0 +1,107 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "../httpdunit.h" + +/* XXX This'll almost certainly cause headaches... Need a better way to test + * module helper functions. + * + * - What if the user doesn't want to, or can't, build mod_auth_digest? + * - How do we make sure the Makefile rebuilds us when the module changes? + */ +#include "../../modules/aaa/mod_auth_digest.c" + +/* + * Test Fixture -- runs once per test + */ + +static apr_pool_t *g_pool; +static request_rec *g_request; + +/* XXX: duplicated from the authn.c tests; find a way to pull this into a helper + * library */ +static void mod_auth_digest_setup(void) +{ + if (apr_pool_create(&g_pool, NULL) != APR_SUCCESS) { + exit(1); + } + + /* Stub out just enough of a request_req to get the tests working. + * Unfortunately this couples us to implementation details in the code being + * tested, but the logic to get a "real" request_rec requires spinning up + * half of the world. */ + g_request = apr_pcalloc(g_pool, sizeof(*g_request)); + if (!g_request) { + exit(1); + } + + g_request->pool = g_pool; + g_request->headers_in = apr_table_make(g_pool, 1); + + if (!g_request->headers_in) { + exit(1); + } +} + +static void mod_auth_digest_teardown(void) +{ + apr_pool_destroy(g_pool); +} + +/* + * get_digest_rec() + * + * Note that this function is an implementation detail, so the tests might not + * have the longest lifetime. + */ + +/* TODO: more functional tests! */ + +START_TEST(get_digest_rec_uses_empty_string_for_key_without_value) +{ + digest_header_rec resp = { 0 }; + apr_table_set(g_request->headers_in, "Authorization", + "Digest username=user, nc"); + + get_digest_rec(g_request, &resp); + + ck_assert_str_eq(resp.username, "user"); + ck_assert_str_eq(resp.nonce_count, ""); +} +END_TEST + +/* + * Regression test for CVE-2017-9788. Note that it only reliably fails if APR + * fills memory with something other than NULL; otherwise you can get false + * positives. But it's better than nothing. + */ +START_TEST(get_digest_rec_does_not_use_uninitialized_memory_for_key_without_value) +{ + digest_header_rec resp = { 0 }; + apr_table_set(g_request->headers_in, "Authorization", "Digest nc"); + + get_digest_rec(g_request, &resp); + + ck_assert_str_eq(resp.nonce_count, ""); +} +END_TEST + +/* + * Test Case Boilerplate + */ +HTTPD_BEGIN_TEST_CASE_WITH_FIXTURE(mod_auth_digest, mod_auth_digest_setup, mod_auth_digest_teardown) +#include "test/unit/mod_auth_digest.tests" +HTTPD_END_TEST_CASE -- 2.40.0