diff options
author | Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com> | 2021-04-27 14:57:50 +0300 |
---|---|---|
committer | Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com> | 2021-04-27 15:22:17 +0300 |
commit | 080a77fea45ae0da4639ddef22be91f853929d99 (patch) | |
tree | 05bf1fddf4459ed130907f242d5efc1fa72b0d7c | |
parent | 7cc83164ffd69b4da0143f7e531f919b9006f944 (diff) | |
download | virtual-media-080a77fea45ae0da4639ddef22be91f853929d99.tar.xz |
Escape cifs credentials to prevent injection
Mount function consumes mount parameters as coma delimited options. In
order to make it resistant to classic parameter injection each comma in
username or password parameter that user provides is escaped by second
comma character. This fix appiles such escaping for samba credentials.
Tested:
Tested by inserting media with password=smbpass,ver=1.0. Kernel does
not mount share, showing error appropriate to incorrect credentials:
intel-obmc kernel: CIFS: Status code returned 0xc000006d \
STATUS_LOGON_FAILURE
Change-Id: I3acb24a4b24e798e54e095c69e9c6ec3151e03d1
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
-rw-r--r-- | src/smb.hpp | 1 | ||||
-rw-r--r-- | src/utils.hpp | 31 |
2 files changed, 32 insertions, 0 deletions
diff --git a/src/smb.hpp b/src/smb.hpp index 6a0db0b..a77dba3 100644 --- a/src/smb.hpp +++ b/src/smb.hpp @@ -35,6 +35,7 @@ class SmbShare else { LogMsg(Logger::Info, "Authenticating as ", credentials->user()); + credentials->escapeCommas(); credentialsOpt = "user=" + credentials->user() + ",password=" + credentials->password(); } diff --git a/src/utils.hpp b/src/utils.hpp index f0d71d6..ebbdaf6 100644 --- a/src/utils.hpp +++ b/src/utils.hpp @@ -46,13 +46,39 @@ class Credentials return passBuf; } + void escapeCommas() + { + if (!commasEscaped) + { + escapeComma(userBuf); + escapeComma(passBuf); + commasEscaped = true; + } + } + private: Credentials() = delete; Credentials(const Credentials&) = delete; Credentials& operator=(const Credentials&) = delete; + /* escape ',' (coma) by ',,' */ + void escapeComma(std::string& s) + { + std::string temp; + std::for_each(s.begin(), s.end(), [&temp](const auto& c) { + *std::back_inserter(temp) = c; + if (c == ',') + { + *std::back_inserter(temp) = c; + } + }); + std::swap(s, temp); + secureCleanup(temp); + } + std::string userBuf; std::string passBuf; + bool commasEscaped{false}; }; class CredentialsProvider @@ -83,6 +109,11 @@ class CredentialsProvider { } + void escapeCommas() + { + credentials.escapeCommas(); + } + const std::string& user() { return credentials.user(); |