fixing a security hole
This commit is contained in:
mom040267
parent
15291e813c
commit
153b2d1d41
@ -1,7 +1,8 @@
|
||||
6/20/2015 Oleg Moskalenko <mom040267@gmail.com>
|
||||
Version 4.4.5.3 'Ardee West':
|
||||
- third-party authorization STUn attributes adjusted according to the
|
||||
values assigned by IANA.
|
||||
- third-party authorization STUN attributes adjusted according
|
||||
to the values assigned by IANA.
|
||||
- SQL injection security hole fixed.
|
||||
|
||||
5/29/2015 Oleg Moskalenko <mom040267@gmail.com>
|
||||
Version 4.4.5.2 'Ardee West':
|
||||
|
||||
@ -859,4 +859,27 @@ char *turn_strdup_func(const char* s, const char* function, int line) {
|
||||
#endif
|
||||
#endif
|
||||
|
||||
////////////////////////////////
|
||||
|
||||
int secure_username(u08bits *username)
|
||||
{
|
||||
int ret = -1;
|
||||
if(username) {
|
||||
unsigned char *s = (unsigned char*)turn_strdup((char*)username);
|
||||
while(*s) {
|
||||
*s = (unsigned char)tolower((int)*s);
|
||||
++s;
|
||||
}
|
||||
if(strstr((char*)s," ")||strstr((char*)s,"\t")||strstr((char*)s,"'")) {
|
||||
username[0]=0;
|
||||
} else if(strstr((char*)s,"and")&&strstr((char*)s,"union")&&strstr((char*)s,"select")) {
|
||||
username[0]=0;
|
||||
} else {
|
||||
ret = 0;
|
||||
}
|
||||
turn_free(s,strlen((char*)s));
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
//////////////////////////////////////////////////////////////////
|
||||
|
||||
@ -78,6 +78,10 @@ void rollover_logfile(void);
|
||||
|
||||
///////////////////////////////////////////////////////
|
||||
|
||||
int secure_username(u08bits *username);
|
||||
|
||||
///////////////////////////////////////////////////////
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -300,6 +300,7 @@ static int mysql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
|
||||
MYSQL * myc = get_mydb_connection();
|
||||
if(myc) {
|
||||
char statement[TURN_LONG_STRING_SIZE];
|
||||
/* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */
|
||||
snprintf(statement,sizeof(statement),"select hmackey from turnusers_lt where name='%s' and realm='%s'",usname,realm);
|
||||
int res = mysql_query(myc, statement);
|
||||
if(res) {
|
||||
@ -343,6 +344,7 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
|
||||
|
||||
int ret = -1;
|
||||
char statement[TURN_LONG_STRING_SIZE];
|
||||
/* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */
|
||||
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid);
|
||||
|
||||
MYSQL * myc = get_mydb_connection();
|
||||
|
||||
@ -124,6 +124,7 @@ static int pgsql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
|
||||
PGconn * pqc = get_pqdb_connection();
|
||||
if(pqc) {
|
||||
char statement[TURN_LONG_STRING_SIZE];
|
||||
/* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */
|
||||
snprintf(statement,sizeof(statement),"select hmackey from turnusers_lt where name='%s' and realm='%s'",usname,realm);
|
||||
PGresult *res = PQexec(pqc, statement);
|
||||
|
||||
@ -158,6 +159,7 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
|
||||
int ret = -1;
|
||||
|
||||
char statement[TURN_LONG_STRING_SIZE];
|
||||
/* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */
|
||||
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid);
|
||||
|
||||
PGconn * pqc = get_pqdb_connection();
|
||||
|
||||
@ -261,6 +261,7 @@ static int sqlite_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key)
|
||||
char statement[TURN_LONG_STRING_SIZE];
|
||||
sqlite3_stmt *st = NULL;
|
||||
int rc = 0;
|
||||
/* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */
|
||||
snprintf(statement, sizeof(statement), "select hmackey from turnusers_lt where name='%s' and realm='%s'", usname, realm);
|
||||
|
||||
sqlite_lock(0);
|
||||
@ -296,6 +297,8 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
|
||||
char statement[TURN_LONG_STRING_SIZE];
|
||||
sqlite3_stmt *st = NULL;
|
||||
int rc = 0;
|
||||
|
||||
/* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */
|
||||
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid);
|
||||
|
||||
sqlite3 *sqliteconnection = get_sqlite_connection();
|
||||
|
||||
@ -1015,6 +1015,10 @@ static int handle_turn_allocate(turn_turnserver *server,
|
||||
}
|
||||
ns_bcopy(value,username,ulen);
|
||||
username[ulen]=0;
|
||||
if(secure_username(username)<0) {
|
||||
*err_code = 400;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -3338,7 +3342,10 @@ static int check_stun_auth(turn_turnserver *server,
|
||||
ns_bcopy(stun_attr_get_value(sar),usname,alen);
|
||||
usname[alen]=0;
|
||||
|
||||
if(ss->username[0]) {
|
||||
if(secure_username(usname)<0) {
|
||||
*err_code = 400;
|
||||
return -1;
|
||||
} else if(ss->username[0]) {
|
||||
if(strcmp((char*)ss->username,(char*)usname)) {
|
||||
if(ss->oauth) {
|
||||
ss->hmackey_set = 0;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user