From 52c150281c0235d610d31891a5fb50cb73972fcc Mon Sep 17 00:00:00 2001 From: Ed Tanous Date: Fri, 19 Apr 2024 16:09:59 -0700 Subject: Fix http2 use after free bug In the below code, we move out of Response, then use it to set unauthorized, which never gets returned to the user. This results in the browser showing an empty 200 ok request, because while the request was propagated rejected, the 401 error code didn't get propagated to the user. Tested: If not logged in on a chrome browser: /redfish/v1 -> Returns the UI /refish/v1/AccountService -> returns a forward to the webui login page. If logged into the webui. /redfish/v1/AccountService now returns the expected HTML redfish representation of the json response. Change-Id: I2c906f818367ebb253b3e6097e6787ba4c215e0a Signed-off-by: Ed Tanous --- http/http2_connection.hpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/http2_connection.hpp b/http/http2_connection.hpp index 7e8224eedf..4b2d186f07 100644 --- a/http/http2_connection.hpp +++ b/http/http2_connection.hpp @@ -265,7 +265,7 @@ class HTTP2Connection : std::make_shared(std::move(it->second.res)); #ifndef BMCWEB_INSECURE_DISABLE_AUTHX thisReq.session = crow::authentication::authenticate( - {}, thisRes, thisReq.method(), thisReq.req, nullptr); + {}, asyncResp->res, thisReq.method(), thisReq.req, nullptr); if (!crow::authentication::isOnAllowlist(thisReq.url().path(), thisReq.method()) && thisReq.session == nullptr) @@ -274,7 +274,7 @@ class HTTP2Connection : forward_unauthorized::sendUnauthorized( thisReq.url().encoded_path(), thisReq.getHeaderValue("X-Requested-With"), - thisReq.getHeaderValue("Accept"), thisRes); + thisReq.getHeaderValue("Accept"), asyncResp->res); } else #endif // BMCWEB_INSECURE_DISABLE_AUTHX -- cgit v1.2.3