If bridge authorities set BridgePassword, they will serve a

snapshot of known bridge routerstatuses from their DirPort to
anybody who knows that password. Unset by default.


svn:r12929

1 files changed, 11 insertions, 6 deletions

diff --git a/src/or/directory.c b/src/or/directory.c
index 85b0191e70..85fa3a144b 100644
--- a/src/or/directory.c
+++ b/src/or/directory.c
@@ -2596,9 +2596,11 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers,
       options->BridgePassword &&
       !strcmp(url,"/tor/networkstatus-bridges")) {
     char *status;
-    size_t len;
+    char decoded[64];
+    char *secret;
+    int r;
 
-    header = http_get_header(headers, "Authenticator: ");
+    header = http_get_header(headers, "Authorization: basic ");
 
     if (!header) {
       write_http_status_line(conn, 404, "Not found");
@@ -2606,7 +2608,10 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers,
     }
 
     /* now make sure the password is right */
-    if (1) { // check password_is_wrong(header)
+    r = base64_decode(decoded, sizeof(decoded), header, strlen(header));
+    secret = alloc_http_authenticator(options->BridgePassword);
+    if (r < 0 || (unsigned)r != strlen(secret) || memcmp(decoded, secret, r)) {
+      /* failed to decode, or didn't match. Refuse. */
       write_http_status_line(conn, 404, "Not found");
       tor_free(header);
       goto done;
@@ -2614,9 +2619,9 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers,
 
     /* all happy now. send an answer. */
     status = networkstatus_getinfo_by_purpose("bridge", time(NULL));
-    len = strlen(status);
-    write_http_response_header(conn, len, 0, 0);
-    connection_write_to_buf(status, len, TO_CONN(conn));
+    dlen = strlen(status);
+    write_http_response_header(conn, dlen, 0, 0);
+    connection_write_to_buf(status, dlen, TO_CONN(conn));
     tor_free(status);
     goto done;
   }