From: Olivier Houchard <cognet@ci0.org>
Date: Wed, 22 Apr 2020 19:51:14 +0000 (+0200)
Subject: BUG/MEDIUM: http-ana: Handle NTLM messages correctly.
X-Git-Tag: v2.1.5~80
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=a542024400c49f0b4602b4a0270f79f4d6aa7232;p=haproxy-2.1.git

BUG/MEDIUM: http-ana: Handle NTLM messages correctly.

When checking www-authenticate headers, we don't want to just accept
"NTLM" as value, because the server may send "HTLM <base64 value>". Instead,
just check that it starts with NTLM.

This should be backported to 2.1, 2.0, 1.9 and 1.8.

(cherry picked from commit 9df188695fbf1ff17de3861ec5b281365800c7f0)
Signed-off-by: Willy Tarreau <w@1wt.eu>
---

diff --git a/src/http_ana.c b/src/http_ana.c
index 5705874..332ae22 100644
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -1793,7 +1793,7 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
 		ctx.blk = NULL;
 		while (http_find_header(htx, hdr, &ctx, 0)) {
 			if ((ctx.value.len >= 9 && word_match(ctx.value.ptr, ctx.value.len, "Negotiate", 9)) ||
-			    (ctx.value.len >= 4 && word_match(ctx.value.ptr, ctx.value.len, "NTLM", 4))) {
+			    (ctx.value.len >= 4 && !memcmp(ctx.value.ptr, "NTLM", 4))) {
 				sess->flags |= SESS_FL_PREFER_LAST;
 				srv_conn->flags |= CO_FL_PRIVATE;
 			}