From 080a77fea45ae0da4639ddef22be91f853929d99 Mon Sep 17 00:00:00 2001
From: "Czarnowski, Przemyslaw" <przemyslaw.hawrylewicz.czarnowski@intel.com>
Date: Tue, 27 Apr 2021 13:57:50 +0200
Subject: Escape cifs credentials to prevent injection

Mount function consumes mount parameters as coma delimited options. In
order to make it resistant to classic parameter injection each comma in
username or password parameter that user provides is escaped by second
comma character.  This fix appiles such escaping for samba credentials.

Tested:

Tested by inserting media with password=smbpass,ver=1.0.  Kernel does
not mount share, showing error appropriate to incorrect credentials:

intel-obmc kernel: CIFS: Status code returned 0xc000006d \
     STATUS_LOGON_FAILURE

Change-Id: I3acb24a4b24e798e54e095c69e9c6ec3151e03d1
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
---
 src/smb.hpp   |  1 +
 src/utils.hpp | 31 +++++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/src/smb.hpp b/src/smb.hpp
index 6a0db0b..a77dba3 100644
--- a/src/smb.hpp
+++ b/src/smb.hpp
@@ -35,6 +35,7 @@ class SmbShare
         else
         {
             LogMsg(Logger::Info, "Authenticating as ", credentials->user());
+            credentials->escapeCommas();
             credentialsOpt = "user=" + credentials->user() +
                              ",password=" + credentials->password();
         }
diff --git a/src/utils.hpp b/src/utils.hpp
index f0d71d6..ebbdaf6 100644
--- a/src/utils.hpp
+++ b/src/utils.hpp
@@ -46,13 +46,39 @@ class Credentials
         return passBuf;
     }
 
+    void escapeCommas()
+    {
+        if (!commasEscaped)
+        {
+            escapeComma(userBuf);
+            escapeComma(passBuf);
+            commasEscaped = true;
+        }
+    }
+
   private:
     Credentials() = delete;
     Credentials(const Credentials&) = delete;
     Credentials& operator=(const Credentials&) = delete;
 
+    /* escape ',' (coma) by ',,' */
+    void escapeComma(std::string& s)
+    {
+        std::string temp;
+        std::for_each(s.begin(), s.end(), [&temp](const auto& c) {
+            *std::back_inserter(temp) = c;
+            if (c == ',')
+            {
+                *std::back_inserter(temp) = c;
+            }
+        });
+        std::swap(s, temp);
+        secureCleanup(temp);
+    }
+
     std::string userBuf;
     std::string passBuf;
+    bool commasEscaped{false};
 };
 
 class CredentialsProvider
@@ -83,6 +109,11 @@ class CredentialsProvider
     {
     }
 
+    void escapeCommas()
+    {
+        credentials.escapeCommas();
+    }
+
     const std::string& user()
     {
         return credentials.user();
-- 
cgit v1.2.3