From 2be3f0fb6f38042386975111a1e86e7b5850ac85 Mon Sep 17 00:00:00 2001 From: Michal Zidek Date: Mon, 1 Oct 2012 18:08:36 +0200 Subject: sss_seed: Make only first line of password file valid. When file is used to specify a password in sss_seed, then only first line of this file is used. Also empty passwords are treated as errors. https://fedorahosted.org/sssd/ticket/1548 --- src/tools/sss_seed.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/src/tools/sss_seed.c b/src/tools/sss_seed.c index bcb260a1..9b8f69b1 100644 --- a/src/tools/sss_seed.c +++ b/src/tools/sss_seed.c @@ -196,6 +196,14 @@ static int seed_password_input_prompt(TALLOC_CTX *mem_ctx, char **_password) ret = EINVAL; goto done; } + + /* Do not allow empty passwords */ + if (strlen(temp) == 0) { + ERROR("Empty passwords are not allowed.\n"); + ret = EINVAL; + goto done; + } + password = talloc_strdup(tmp_ctx, temp); if (password == NULL) { ret = ENOMEM; @@ -235,6 +243,8 @@ static int seed_password_input_file(TALLOC_CTX *mem_ctx, uint8_t buf[PASS_MAX+1]; int fd = -1; int ret = EOK; + int valid_i; + int i; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -266,6 +276,32 @@ static int seed_password_input_file(TALLOC_CTX *mem_ctx, close(fd); buf[len] = '\0'; + /* Only the first line is valid (without '\n'). */ + for (valid_i = -1; valid_i + 1 < len; valid_i++) { + if (buf[valid_i + 1] == '\n') { + buf[valid_i + 1] = '\0'; + break; + } + } + + /* Do not allow empty passwords. */ + if (valid_i < 0) { + ERROR("Empty passwords are not allowed.\n"); + ret = EINVAL; + goto done; + } + + /* valid_i is the last valid index of the password followed by \0. + * If characters other than \n occur int the rest of the file, it + * is an error. */ + for (i = valid_i + 2; i < len; i++) { + if (buf[i] != '\n') { + ERROR("Multi-line passwords are not allowed.\n"); + ret = EINVAL; + goto done; + } + } + password = talloc_strdup(tmp_ctx, (char *)buf); if (password == NULL) { ret = ENOMEM; -- cgit