Fix integer length overflow in basic auth #6946
Conversation
dirkmueller
force-pushed
the
http_authenticate
branch
from
54c91d1
to
22b4624
Compare
dirkmueller
changed the title
| #include "WiFiServer.h" | ||
| #include "WiFiClient.h" | ||
| #include "ESP8266WebServer.h" | ||
| #include "FS.h" | ||
|
|
||
| using namespace esp8266webserver; |
There was a problem hiding this comment.
Don't do this, at least not in a header file. This imports everything in esp8266webserver into the global namespace, which defeats the purpose of using a namespace.
It is sometimes ok to do this in a cpp file, but even then it's better to import into the cpp's anonymous namespace and not into the global one.
There was a problem hiding this comment.
I am actually not able to spot something that is outside the namespace in "nm" symbol dump. can you elaborate an example? the using doesn't change namespace, it just avoid me having to put a quadrillion esp8266webserver:: prefixes to all the declarations..
I can do that if your concern is the "using" part.
There was a problem hiding this comment.
Although I'm not sure I understood the concern, because there are no globals only statics (which are not exported hence don't pollute and don't care in which namespace they're declared), I moved all #include's out of the -impl.h now and have my duplicate-import problem solved this way.
| #include "ESP8266WebServer-impl.h" | ||
| #include "Parsing-impl.h" |
There was a problem hiding this comment.
These two were inside the namespace because their implementations are not in a namespace. Pulling them out like this means that the internals are moved to the global namespace, which is undesirable.
There was a problem hiding this comment.
the issue is that the things that they #include'ed was now being put into that namespace, which causes duplicate instanciations (code bloat) or missing symbols..
There was a problem hiding this comment.
You're correct about the last part. In general, it is bad practice to include inside a namespace for this exact reason.
The correct way to handle this is to separate the headers, so a bit more work along the lines of the following. Are you game?
- ESP8266WebServer-impl.h:
- Put
namespace esp8266webserveraround all the code in there. - In ESP8266WebServer.h move the include to after the namespace closing like you had previously proposed.
- Move the three headers added to ESP8266WebServer.h in your latest proposal back to the top of ESP8266WebServer-impl.h.
- Put
- RequestHandler.h: Wrapping with a namespace here could cause havoc in multiple dimensions. To avoid that:
- Fully qualify the template import like so:
using WebServerType = esp8266webserver::ESP8266WebServerTemplate<ServerType>;
- Fully qualify the template import like so:
- RequestHandlersImpl.h:
- Keep your removal of
using namespace mimein the global namespace. and its use where specifically used - Qualify the using WebServerType same way as above (x2)
- Keep your removal of
- Move the above includes out of the esp8266 namespace as you had proposed.
There was a problem hiding this comment.
I can do that cleanup. does it belong into this PR? I would prefer it as a followup.
There was a problem hiding this comment.
Well, I proposed the above as part of this PR because you started the include changes here. If you prefer to separate, what you could do is keep just the integer overflow fix for the ::authenticate() method here, and do the include cleanup in a different PR. What do you think?
|
A side note: |
dirkmueller
force-pushed
the
http_authenticate
branch
2 times, most recently
from
e7d2f51
to
d38814b
Compare
| #include "ESP8266WebServer-impl.h" | ||
| #include "Parsing-impl.h" |
There was a problem hiding this comment.
You're correct about the last part. In general, it is bad practice to include inside a namespace for this exact reason.
The correct way to handle this is to separate the headers, so a bit more work along the lines of the following. Are you game?
- ESP8266WebServer-impl.h:
- Put
namespace esp8266webserveraround all the code in there. - In ESP8266WebServer.h move the include to after the namespace closing like you had previously proposed.
- Move the three headers added to ESP8266WebServer.h in your latest proposal back to the top of ESP8266WebServer-impl.h.
- Put
- RequestHandler.h: Wrapping with a namespace here could cause havoc in multiple dimensions. To avoid that:
- Fully qualify the template import like so:
using WebServerType = esp8266webserver::ESP8266WebServerTemplate<ServerType>;
- Fully qualify the template import like so:
- RequestHandlersImpl.h:
- Keep your removal of
using namespace mimein the global namespace. and its use where specifically used - Qualify the using WebServerType same way as above (x2)
- Keep your removal of
- Move the above includes out of the esp8266 namespace as you had proposed.
earlephilhower
added
the
merge-conflict
dirkmueller
force-pushed
the
http_authenticate
branch
from
d38814b
to
469e3ba
Compare
This is a followup of the discussion in esp8266#6946 (comment) to untangle the namespace/double inclusions in this library.
untangle the namespace/double inclusions in webserver library. This is a followup of the discussion in #6946 (comment)
The string lengths were added and then stored in "char" which is limited in values at most up to 255. Using size_t is a much more appropriate type. In addition the code was using base64 with newlines injected (easy to fall into that trap as the default is imho wrong), which means that anything longer than ~ 60 characters never matched and you had no way to authenticate against the server.
dirkmueller
force-pushed
the
http_authenticate
branch
from
469e3ba
to
35b5dae
Compare
|
@earlephilhower how can I remove the label "merge-conflict" ? |
earlephilhower
removed
the
merge-conflict
earlephilhower
added
the
merge-conflict
The string lenths were added and then stored in "char" which is
typically signed and limited to values up to 127. Using size_t
is a more appropriate type.
Simplify the code a bit as well to avoid the code smell.