diff options
author | Rob Crittenden <rcritten@redhat.com> | 2016-01-14 23:03:44 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2016-01-15 13:16:15 -0500 |
commit | a7721ab0c171d587a5d831990d1fe16d37a41ac7 (patch) | |
tree | 066f677eb16c912b15eef184fb198d2a87d1c71b | |
parent | a8711ee2d0d00d42b748f689c7595d1e519e3d2f (diff) | |
download | mod_nss-a7721ab0c171d587a5d831990d1fe16d37a41ac7.tar.gz mod_nss-a7721ab0c171d587a5d831990d1fe16d37a41ac7.tar.xz mod_nss-a7721ab0c171d587a5d831990d1fe16d37a41ac7.zip |
Fail for colons in credentials with FakeBasicAuth
We will eventually want to use mod_auth_basic's AuthBasicFake
but this will do for now.
-rw-r--r-- | nss_engine_kernel.c | 35 |
1 files changed, 33 insertions, 2 deletions
diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c index 7995952..0fdc009 100644 --- a/nss_engine_kernel.c +++ b/nss_engine_kernel.c @@ -607,8 +607,25 @@ int nss_hook_Access(request_rec *r) if ((dc->nOptions & SSL_OPT_FAKEBASICAUTH) == 0 && dc->szUserName) { char *val = nss_var_lookup(r->pool, r->server, r->connection, r, (char *)dc->szUserName); - if (val && val[0]) - r->user = val; + if (val && val[0]) { + /* RFC2617 denies usage of colon in BasicAuth */ + char *colon = strchr(val, ':'); + if (colon == NULL) { + r->user = val; + } + else { + cp = apr_psprintf(r->pool, + "FakeBasicAuth is configured and colon " + "(\":\") character exists in the \"%s\" " + "username", val); + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "access to %s failed, reason: %s", + r->filename, cp); + + return HTTP_FORBIDDEN; + } + } } /* @@ -753,6 +770,20 @@ int nss_hook_UserCheck(request_rec *r) clientdn = (char *)sslconn->client_dn; + char *colon = strchr(clientdn, ':'); + if (colon != NULL) { + char *cp = apr_psprintf(r->pool, + "FakeBasicAuth is configured and colon " + "(\":\") character exists in the \"%s\" ", + "username", clientdn); + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "access to %s failed, reason: %s", + r->filename, cp); + + return HTTP_FORBIDDEN; + } + /* * Fake a password - which one would be immaterial, as, it seems, an empty * password in the users file would match ALL incoming passwords, if only |