# HG changeset patch # User Timo Sirainen <tss@iki.fi> # Date 1205059519 -7200 # Node ID da2a9372e26e23dba9effc7267206664c19ffaca # Parent 6a1792255faf50b54fc801cd518f5ab2998030be If trying to log in with password having illegal characters, make sure we fail early. --- a/src/auth/auth-request.c Sun Mar 09 12:36:55 2008 +0200 +++ b/src/auth/auth-request.c Sun Mar 09 12:45:19 2008 +0200 @@ -414,6 +414,23 @@ void auth_request_verify_plain_callback( auth_request_verify_plain_callback_finish(result, request); } +static bool password_has_illegal_chars(const char *password) +{ + for (; *password != '\0'; password++) { + switch (*password) { + case '\001': + case '\t': + case '\r': + case '\n': + /* these characters have a special meaning in internal + protocols, make sure the password doesn't + accidentally get there unescaped. */ + return TRUE; + } + } + return FALSE; +} + void auth_request_verify_plain(struct auth_request *request, const char *password, verify_plain_callback_t *callback) @@ -431,7 +448,14 @@ void auth_request_verify_plain(struct au "Attempted master login with no master passdbs"); callback(PASSDB_RESULT_USER_UNKNOWN, request); return; - } + } + + if (password_has_illegal_chars(password)) { + auth_request_log_info(request, "passdb", + "Attempted login with password having illegal chars"); + callback(PASSDB_RESULT_USER_UNKNOWN, request); + return; + } passdb = request->passdb->passdb; if (request->mech_password == NULL)