diff options
author | Denys Vlasenko <vda.linux@googlemail.com> | 2011-08-09 04:05:13 +0200 |
---|---|---|
committer | Denys Vlasenko <vda.linux@googlemail.com> | 2011-08-09 04:05:13 +0200 |
commit | 7485086f1eca78998d6cd31b0ce18a8a8ea3fc35 (patch) | |
tree | ad3a754a07e29b0c86514bdac98c63618628b37d | |
parent | 6e42b89b8d136316e1b97b56cf885e8ef9d64caf (diff) |
die_if_bad_username: tighten up a bit
function old new delta
die_if_bad_username 77 97 +20
Based on patches from Tito.
The changes are:
better comments
we disallow '@' now - in practice such usernames will be unusable
use of the portable filename character set plus '$'
don't use isalnum as it allows non-ASCII letters in legacy 8-bit locales (pointed out by Rich Felker)
enforce maximum length of LOGIN_NAME_MAX (including NUL)
don't allow '$', '.', and '-' as first char
don't print the illegal char in error message as if it is a wide char it will be unreadable
print the position of the illegal character
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r-- | libbb/die_if_bad_username.c | 42 |
1 files changed, 32 insertions, 10 deletions
diff --git a/libbb/die_if_bad_username.c b/libbb/die_if_bad_username.c index 9946e3a1d..cf1297bd6 100644 --- a/libbb/die_if_bad_username.c +++ b/libbb/die_if_bad_username.c @@ -18,23 +18,45 @@ void FAST_FUNC die_if_bad_username(const char *name) { - /* 1st char being dash or dot isn't valid: */ - goto skip; - /* For example, name like ".." can make adduser - * chown "/home/.." recursively - NOT GOOD + const char *start = name; + + /* 1st char being dash or dot isn't valid: + * for example, name like ".." can make adduser + * chown "/home/.." recursively - NOT GOOD. + * Name of just a single "$" is also rejected. */ + goto skip; do { - if (*name == '-' || *name == '.') + unsigned char ch; + + /* These chars are valid unless they are at the 1st pos: */ + if (*name == '-' + || *name == '.' + /* $ is allowed if it's the last char: */ + || (*name == '$' && !name[1]) + ) { continue; + } skip: - if (isalnum(*name) - || *name == '_' - || *name == '@' - || (*name == '$' && !name[1]) + ch = *name; + if (ch == '_' + /* || ch == '@' -- we disallow this too. Think about "user@host" */ + /* open-coded isalnum: */ + || (ch >= '0' && ch <= '9') + || ((ch|0x20) >= 'a' && (ch|0x20) <= 'z') ) { continue; } - bb_error_msg_and_die("illegal character '%c'", *name); + bb_error_msg_and_die("illegal character with code %u at position %u", + (unsigned)ch, (unsigned)(name - start)); } while (*++name); + + /* The minimum size of the login name is one char or two if + * last char is the '$'. Violations of this are caught above. + * The maximum size of the login name is LOGIN_NAME_MAX + * including the terminating null byte. + */ + if (name - start >= LOGIN_NAME_MAX) + bb_error_msg_and_die("name is too long"); } |