# HG changeset patch
# User Timo Sirainen <tss@iki.fi>
# Date 1205059519 -7200
# Node ID da2a9372e26e23dba9effc7267206664c19ffaca
# Parent 6a1792255faf50b54fc801cd518f5ab2998030be
If trying to log in with password having illegal characters, make sure we
fail early.
--- a/src/auth/auth-request.c Sun Mar 09 12:36:55 2008 +0200
+++ b/src/auth/auth-request.c Sun Mar 09 12:45:19 2008 +0200
@@ -414,6 +414,23 @@ void auth_request_verify_plain_callback(
auth_request_verify_plain_callback_finish(result, request);
}
+static bool password_has_illegal_chars(const char *password)
+{
+ for (; *password != '\0'; password++) {
+ switch (*password) {
+ case '\001':
+ case '\t':
+ case '\r':
+ case '\n':
+ /* these characters have a special meaning in internal
+ protocols, make sure the password doesn't
+ accidentally get there unescaped. */
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
void auth_request_verify_plain(struct auth_request *request,
const char *password,
verify_plain_callback_t *callback)
@@ -431,7 +448,14 @@ void auth_request_verify_plain(struct au
"Attempted master login with no master passdbs");
callback(PASSDB_RESULT_USER_UNKNOWN, request);
return;
- }
+ }
+
+ if (password_has_illegal_chars(password)) {
+ auth_request_log_info(request, "passdb",
+ "Attempted login with password having illegal chars");
+ callback(PASSDB_RESULT_USER_UNKNOWN, request);
+ return;
+ }
passdb = request->passdb->passdb;
if (request->mech_password == NULL)
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
927b2e27eb4d289c88ad87f4a2fdfa8f
>
files
>
3
