Skip to content

clean user credentials from control chars #868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 27, 2014
Merged

clean user credentials from control chars #868

merged 2 commits into from
Sep 27, 2014

Conversation

splitbrain
Copy link
Collaborator

This is to prevent zero byte attacks on external auth systems as
described in
http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication

@Chris--S
Copy link
Collaborator

Is it valid to filter out illegal characters rather than reject any login attempt which contains them?

The code still seems to allow an empty password.

When a username but no password is submitted, the login is denied right
away instead of relying on the backend to refuse the login.
@splitbrain
Copy link
Collaborator Author

Yeah filtering out assumes good faith (eg. we assume some botched copy'n'paste job than a attack).

I added a check for an empty password, to block these attempts before they reach the backend. TrustExternal backends still can do what ever they want.

@scrutinizer-notifier
Copy link

The inspection completed: No new issues

splitbrain added a commit that referenced this pull request Sep 27, 2014
clean user credentials from control chars
@splitbrain splitbrain merged commit 3df1d4a into master Sep 27, 2014
@splitbrain splitbrain deleted the authclean branch September 27, 2014 10:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants