8000 fix acme wrt. security, redundancy, consistency by jelmd · Pull Request #672 · coturn/coturn · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix acme wrt. security, redundancy, consistency #672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jan 5, 2021
Merged

fix acme wrt. security, redundancy, consistency #672

merged 3 commits into from
Jan 5, 2021

Conversation

jelmd
Copy link
Contributor
@jelmd jelmd commented Dec 31, 2020

The #551 PR rewrite/current implementation has several issues:

  • unsafe copy of req:
    • the src pointer for the req_url copy may point to anything else, but not the intended location
    • the length of req is not checked and thus may overflow the req_url buffer
  • too much redundant work
    • there is no need to search for space[s] or tab[s] to extract the URL path: is_acme_req() already takes care of it. It returns the position of the 2nd space of the request-line (see plen, RFC 2616, 5.1. The first space gets covered by the GET_ACME_PREFIX). If the request is not RFC conform, we do not care - ignore it.
    • since we already know the url (req + 4, plen), there is no need to copy those bytes around and no need for all the related helper vars
  • inconsistency:
    • GET_WELLKNOWN_ACMECHALLANGE_URL_PREFIX_LENGTH got introduced in the rewrite. The corresponding string is missing. So a corresponding #define got introduced here.
    • If such a const gets defined, it should be used in every related expression, otherwise it certainly causes more trouble than help.
    • awefully long names do not contribute to readability. So shortened it to an acceptable length, which does not hurt that much.
    • actually these defines are very specific implementation details and shouldn't exposed via acme.h or anything else.
  • libevent fix:
    • at least on Ubuntu focal int send_data_from_ioa_socket_nbh() is unreliable and does not send the expected HTTP response for whatever reason (I guess, the "return socket" is already closed). So on ubuntu per default a workaround will be used to make sure, that a proper answer gets sent. To force send_data_from_ioa_socket_nbh() usage on ubuntu, one may export LIBEV_OK=1 before running ./configure ....
  • license:
    Adding an outdated default header is IMHO not ok. Not sure, whether Citrix maintainers are still onboard, but I do not wanna get sued by anybody, just for re-using my own code. Therefore I added the MIT license header, which should be compatible with the project, does not require a change any other files, but still allows me (and others) to re-use it somewhere else.

@misi misi self-assigned this Jan 4, 2021
@misi misi added the bug label Jan 4, 2021
@misi misi added this to the 4.5.2 milestone Jan 4, 2021
@misi
Copy link
Contributor
misi commented Jan 4, 2021
edited
Loading

@jelmd Thanks for the corrections!
I did my best to merge and test your code.
Sorry if I made more trouble and redundant thing it was due my limited knowledge, but I tested and seemed it was needed.
I tested it on Debian stable.

License: I used the common header, because I don't have info about this legal agreements, if it is still valid, or not.
Only the original author of the code @mom040267 can say more about it.
IMHO one project with one license is more common and simple and understandable for the community.
Fragmenting license per file is also uncommon, but I see your point if you want reuse your code anywhere else then I can go along with it. Do you really want to reuse this lines? Anyhow I would be more happy to not fragment, but it is just my 2 cents.

I do my best to serve this project, but I am very alone with my efforts, so I invite you to join me and help me maintain the project if you have time for it.

I will review and merge it soon. Sorry for the delay..

@misi misi merged commit 288c486 into coturn:master Jan 5, 2021
@misi
Copy link
Contributor
misi commented Jan 8, 2021

@jelmd If I am correct you mean -= here, right? see: a28fee8

@jelmd
Copy link
Contributor Author
jelmd commented Jan 8, 2021

Yes, good catch. :)

@misi
Copy link
Contributor
misi commented Jan 9, 2021

Thanks!!

@jonesmz jonesmz mentioned this pull request Jul 29, 2024
Merged
ggarber pushed a commit that referenced this pull request May 30, 2025
@jonesmz
Add spdx tags to all source files (#1510)
9ae1e3b 
With notable exceptions of:

src/apps/common/win/*
src/apps/relay/telnet.*

The purpose of this change is to add the SPDX tags from
https://spdx.dev/, which is a linux foundation project, to the source
code.

This provides automated code provenance tools, which are used in setting
up software bill of materials reports, an easy time verifying that the
code license is known and no incompatibilities are present in a
codebase.

No copyright date, author, or license changes are made.

Note also that
7e525c8
is the original commit for the ACME code (acme.h and acme.c) which was
then moved to acme.h and acme.c in this commit
d468675
but neither commit indicates what license the ACME code was submitted
as.

https://github.com/coturn/coturn?tab=License-1-ov-file#readme is the
3-clause BSD license, but #672
documents that the author's intent was for the MIT license. So I've used
the SPDX tag and content of the MIT license for this change.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@misi misi

Labels
bug
Projects
None yet
Milestone
4.5.2
Development

Successfully merging this pull request may close these issues.
2 participants
@jelmd @misi
0