fixed a security bug introduced in 3.13.0 version that lead the HTTP …

…built-in server to bypass Basic Authentication when the option 'hosts_deny' is not defined #309
mikaku · Jan 27, 2021 · d6816e2 · d6816e2
1 parent 5f77eee
commit d6816e2
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/lib/HTTPServer.pm b/lib/HTTPServer.pm
@@ -139,6 +139,10 @@ sub http_header {
 		# check if the IP address is forced to auth
 		my $denied;
 		my $allowed = ip_validity($ENV{REMOTE_ADDR}, $hosts_allow);
+
+		# specific behavior
+		$hosts_deny = "all" if !$hosts_deny;
+
 		$denied = ip_validity($ENV{REMOTE_ADDR}, $hosts_deny) if !$allowed;
 		if(!$allowed && $denied) {
 			my (undef, $encoded_str) = split(' ', $ENV{HTTP_AUTHORIZATION} || "");