1 files changed, 36 insertions, 0 deletions

diff --git a/src/tools/sss_seed.c b/src/tools/sss_seed.c
index bcb260a1b..9b8f69b12 100644
--- a/src/tools/sss_seed.c
+++ b/src/tools/sss_seed.c
@@ -196,6 +196,14 @@ static int seed_password_input_prompt(TALLOC_CTX *mem_ctx, char **_password)
         ret = EINVAL;
         goto done;
     }
+
+    /* Do not allow empty passwords */
+    if (strlen(temp) == 0) {
+        ERROR("Empty passwords are not allowed.\n");
+        ret = EINVAL;
+        goto done;
+    }
+
     password = talloc_strdup(tmp_ctx, temp);
     if (password == NULL) {
         ret = ENOMEM;
@@ -235,6 +243,8 @@ static int seed_password_input_file(TALLOC_CTX *mem_ctx,
     uint8_t buf[PASS_MAX+1];
     int fd = -1;
     int ret = EOK;
+    int valid_i;
+    int i;
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
@@ -266,6 +276,32 @@ static int seed_password_input_file(TALLOC_CTX *mem_ctx,
     close(fd);
     buf[len] = '\0';
 
+    /* Only the first line is valid (without '\n'). */
+    for (valid_i = -1; valid_i + 1 < len; valid_i++) {
+        if (buf[valid_i + 1] == '\n') {
+            buf[valid_i + 1] = '\0';
+            break;
+        }
+    }
+
+    /* Do not allow empty passwords. */
+    if (valid_i < 0) {
+        ERROR("Empty passwords are not allowed.\n");
+        ret = EINVAL;
+        goto done;
+    }
+
+    /* valid_i is the last valid index of the password followed by \0.
+     * If characters other than \n occur int the rest of the file, it
+     * is an error. */
+    for (i = valid_i + 2; i < len; i++) {
+        if (buf[i] != '\n') {
+            ERROR("Multi-line passwords are not allowed.\n");
+            ret = EINVAL;
+            goto done;
+        }
+    }
+
     password = talloc_strdup(tmp_ctx, (char *)buf);
     if (password == NULL) {
         ret = ENOMEM;