Fail for colons in credentials with FakeBasicAuth

We will eventually want to use mod_auth_basic's AuthBasicFake but this will do for now.
author: Rob Crittenden <rcritten@redhat.com> 2016-01-14 23:03:44 -0500
committer: Rob Crittenden <rcritten@redhat.com> 2016-01-15 13:16:15 -0500
commit: a7721ab0c171d587a5d831990d1fe16d37a41ac7 (patch)
tree: 066f677eb16c912b15eef184fb198d2a87d1c71b
parent: a8711ee2d0d00d42b748f689c7595d1e519e3d2f (diff)
download: mod_nss-a7721ab0c171d587a5d831990d1fe16d37a41ac7.tar.gz
mod_nss-a7721ab0c171d587a5d831990d1fe16d37a41ac7.tar.xz
mod_nss-a7721ab0c171d587a5d831990d1fe16d37a41ac7.zip
1 files changed, 33 insertions, 2 deletions
diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c
index 7995952..0fdc009 100644
--- a/nss_engine_kernel.c
+++ b/nss_engine_kernel.c
@@ -607,8 +607,25 @@ int nss_hook_Access(request_rec *r)
     if ((dc->nOptions & SSL_OPT_FAKEBASICAUTH) == 0 && dc->szUserName) {
         char *val = nss_var_lookup(r->pool, r->server, r->connection,
                                    r, (char *)dc->szUserName);
-        if (val && val[0])
-            r->user = val;
+        if (val && val[0]) {
+            /* RFC2617 denies usage of colon in BasicAuth */
+            char *colon = strchr(val, ':');
+            if (colon == NULL) {
+                r->user = val;
+            }
+            else {
+                cp = apr_psprintf(r->pool,
+                                "FakeBasicAuth is configured and colon "
+                                "(\":\") character exists in the \"%s\" "
+                                "username", val);
+
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                            "access to %s failed, reason: %s",
+                            r->filename, cp);
+
+                return HTTP_FORBIDDEN;
+            }
+        }
     }
 
     /*
@@ -753,6 +770,20 @@ int nss_hook_UserCheck(request_rec *r)
 
     clientdn = (char *)sslconn->client_dn;
 
+    char *colon = strchr(clientdn, ':');
+    if (colon != NULL) {
+        char *cp = apr_psprintf(r->pool,
+                        "FakeBasicAuth is configured and colon "
+                        "(\":\") character exists in the \"%s\" ",
+                        "username", clientdn);
+
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                    "access to %s failed, reason: %s",
+                    r->filename, cp);
+
+        return HTTP_FORBIDDEN;
+    }
+
     /*
      * Fake a password - which one would be immaterial, as, it seems, an empty
      * password in the users file would match ALL incoming passwords, if only
author	Rob Crittenden <rcritten@redhat.com>	2016-01-14 23:03:44 -0500
committer	Rob Crittenden <rcritten@redhat.com>	2016-01-15 13:16:15 -0500
commit	a7721ab0c171d587a5d831990d1fe16d37a41ac7 (patch)
tree	066f677eb16c912b15eef184fb198d2a87d1c71b
parent	a8711ee2d0d00d42b748f689c7595d1e519e3d2f (diff)
download	mod_nss-a7721ab0c171d587a5d831990d1fe16d37a41ac7.tar.gz mod_nss-a7721ab0c171d587a5d831990d1fe16d37a41ac7.tar.xz mod_nss-a7721ab0c171d587a5d831990d1fe16d37a41ac7.zip