From 153b2d1d415ac45df1e2b9e524ac88c6a675c542 Mon Sep 17 00:00:00 2001 From: mom040267 Date: Sun, 28 Jun 2015 05:37:28 +0000 Subject: [PATCH] fixing a security hole --- ChangeLog | 5 +++-- src/apps/common/ns_turn_utils.c | 23 +++++++++++++++++++++++ src/apps/common/ns_turn_utils.h | 4 ++++ src/apps/relay/dbdrivers/dbd_mysql.c | 2 ++ src/apps/relay/dbdrivers/dbd_pgsql.c | 2 ++ src/apps/relay/dbdrivers/dbd_sqlite.c | 3 +++ src/server/ns_turn_server.c | 9 ++++++++- 7 files changed, 45 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 13dedfe..fd28c9a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,8 @@ 6/20/2015 Oleg Moskalenko Version 4.4.5.3 'Ardee West': - - third-party authorization STUn attributes adjusted according to the - values assigned by IANA. + - third-party authorization STUN attributes adjusted according + to the values assigned by IANA. + - SQL injection security hole fixed. 5/29/2015 Oleg Moskalenko Version 4.4.5.2 'Ardee West': diff --git a/src/apps/common/ns_turn_utils.c b/src/apps/common/ns_turn_utils.c index ddc937a..501ded0 100644 --- a/src/apps/common/ns_turn_utils.c +++ b/src/apps/common/ns_turn_utils.c @@ -859,4 +859,27 @@ char *turn_strdup_func(const char* s, const char* function, int line) { #endif #endif +//////////////////////////////// + +int secure_username(u08bits *username) +{ + int ret = -1; + if(username) { + unsigned char *s = (unsigned char*)turn_strdup((char*)username); + while(*s) { + *s = (unsigned char)tolower((int)*s); + ++s; + } + if(strstr((char*)s," ")||strstr((char*)s,"\t")||strstr((char*)s,"'")) { + username[0]=0; + } else if(strstr((char*)s,"and")&&strstr((char*)s,"union")&&strstr((char*)s,"select")) { + username[0]=0; + } else { + ret = 0; + } + turn_free(s,strlen((char*)s)); + } + return ret; +} + ////////////////////////////////////////////////////////////////// diff --git a/src/apps/common/ns_turn_utils.h b/src/apps/common/ns_turn_utils.h index 1df9565..9deec28 100644 --- a/src/apps/common/ns_turn_utils.h +++ b/src/apps/common/ns_turn_utils.h @@ -78,6 +78,10 @@ void rollover_logfile(void); /////////////////////////////////////////////////////// +int secure_username(u08bits *username); + +/////////////////////////////////////////////////////// + #ifdef __cplusplus } #endif diff --git a/src/apps/relay/dbdrivers/dbd_mysql.c b/src/apps/relay/dbdrivers/dbd_mysql.c index a7eb317..b8bb30f 100644 --- a/src/apps/relay/dbdrivers/dbd_mysql.c +++ b/src/apps/relay/dbdrivers/dbd_mysql.c @@ -300,6 +300,7 @@ static int mysql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) { MYSQL * myc = get_mydb_connection(); if(myc) { char statement[TURN_LONG_STRING_SIZE]; + /* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */ snprintf(statement,sizeof(statement),"select hmackey from turnusers_lt where name='%s' and realm='%s'",usname,realm); int res = mysql_query(myc, statement); if(res) { @@ -343,6 +344,7 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { int ret = -1; char statement[TURN_LONG_STRING_SIZE]; + /* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */ snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid); MYSQL * myc = get_mydb_connection(); diff --git a/src/apps/relay/dbdrivers/dbd_pgsql.c b/src/apps/relay/dbdrivers/dbd_pgsql.c index cfb0187..b7b7271 100644 --- a/src/apps/relay/dbdrivers/dbd_pgsql.c +++ b/src/apps/relay/dbdrivers/dbd_pgsql.c @@ -124,6 +124,7 @@ static int pgsql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) { PGconn * pqc = get_pqdb_connection(); if(pqc) { char statement[TURN_LONG_STRING_SIZE]; + /* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */ snprintf(statement,sizeof(statement),"select hmackey from turnusers_lt where name='%s' and realm='%s'",usname,realm); PGresult *res = PQexec(pqc, statement); @@ -158,6 +159,7 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { int ret = -1; char statement[TURN_LONG_STRING_SIZE]; + /* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */ snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid); PGconn * pqc = get_pqdb_connection(); diff --git a/src/apps/relay/dbdrivers/dbd_sqlite.c b/src/apps/relay/dbdrivers/dbd_sqlite.c index 334b934..26f32b1 100644 --- a/src/apps/relay/dbdrivers/dbd_sqlite.c +++ b/src/apps/relay/dbdrivers/dbd_sqlite.c @@ -261,6 +261,7 @@ static int sqlite_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) char statement[TURN_LONG_STRING_SIZE]; sqlite3_stmt *st = NULL; int rc = 0; + /* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */ snprintf(statement, sizeof(statement), "select hmackey from turnusers_lt where name='%s' and realm='%s'", usname, realm); sqlite_lock(0); @@ -296,6 +297,8 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { char statement[TURN_LONG_STRING_SIZE]; sqlite3_stmt *st = NULL; int rc = 0; + + /* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */ snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid); sqlite3 *sqliteconnection = get_sqlite_connection(); diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c index 203f69d..b3d9e5d 100644 --- a/src/server/ns_turn_server.c +++ b/src/server/ns_turn_server.c @@ -1015,6 +1015,10 @@ static int handle_turn_allocate(turn_turnserver *server, } ns_bcopy(value,username,ulen); username[ulen]=0; + if(secure_username(username)<0) { + *err_code = 400; + break; + } } } @@ -3338,7 +3342,10 @@ static int check_stun_auth(turn_turnserver *server, ns_bcopy(stun_attr_get_value(sar),usname,alen); usname[alen]=0; - if(ss->username[0]) { + if(secure_username(usname)<0) { + *err_code = 400; + return -1; + } else if(ss->username[0]) { if(strcmp((char*)ss->username,(char*)usname)) { if(ss->oauth) { ss->hmackey_set = 0;