91 lines
2.9 KiB
Diff
91 lines
2.9 KiB
Diff
|
From 286e3dac69c3d4b32db93de1f9937f434383588f Mon Sep 17 00:00:00 2001
|
||
|
From: Simo Sorce <simo@redhat.com>
|
||
|
Date: Thu, 26 Mar 2015 16:30:56 -0400
|
||
|
Subject: [PATCH] Escape principal name to remove the path separator
|
||
|
|
||
|
The principla name is used as a file name, any embedded path separators
|
||
|
are going to cause trouble if used in the file name, so we need to escape
|
||
|
them away. Usee ~ as the escape chracter (~~ to escape ~ itself)
|
||
|
|
||
|
Fixes #14
|
||
|
---
|
||
|
src/mod_auth_gssapi.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++-
|
||
|
1 file changed, 53 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
|
||
|
index 4f21123a4caa56d748307055be73099cc9a63dc0..c7881bf9e149bb190ad73741250d94541abfd0e8 100644
|
||
|
--- a/src/mod_auth_gssapi.c
|
||
|
+++ b/src/mod_auth_gssapi.c
|
||
|
@@ -119,6 +119,48 @@ static bool mag_conn_is_https(conn_rec *c)
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
+static char *escape(apr_pool_t *pool, const char *name,
|
||
|
+ char find, const char *replace)
|
||
|
+{
|
||
|
+ char *escaped = NULL;
|
||
|
+ char *namecopy;
|
||
|
+ char *n;
|
||
|
+ char *p;
|
||
|
+
|
||
|
+ namecopy = apr_pstrdup(pool, name);
|
||
|
+ if (!namecopy) goto done;
|
||
|
+
|
||
|
+ p = strchr(namecopy, find);
|
||
|
+ if (!p) return namecopy;
|
||
|
+
|
||
|
+ /* first segment */
|
||
|
+ n = namecopy;
|
||
|
+ while (p) {
|
||
|
+ /* terminate previous segment */
|
||
|
+ *p = '\0';
|
||
|
+ if (escaped) {
|
||
|
+ escaped = apr_pstrcat(pool, escaped, n, replace, NULL);
|
||
|
+ } else {
|
||
|
+ escaped = apr_pstrcat(pool, n, replace, NULL);
|
||
|
+ }
|
||
|
+ if (!escaped) goto done;
|
||
|
+ /* move to next segment */
|
||
|
+ n = p + 1;
|
||
|
+ p = strchr(n, find);
|
||
|
+ }
|
||
|
+ /* append last segment if any */
|
||
|
+ if (*n) {
|
||
|
+ escaped = apr_pstrcat(pool, escaped, n, NULL);
|
||
|
+ }
|
||
|
+
|
||
|
+done:
|
||
|
+ if (!escaped) {
|
||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
|
||
|
+ "OOM escaping name");
|
||
|
+ }
|
||
|
+ return escaped;
|
||
|
+}
|
||
|
+
|
||
|
static void mag_store_deleg_creds(request_rec *req,
|
||
|
char *dir, char *clientname,
|
||
|
gss_cred_id_t delegated_cred,
|
||
|
@@ -128,8 +170,18 @@ static void mag_store_deleg_creds(request_rec *req,
|
||
|
gss_key_value_set_desc store;
|
||
|
char *value;
|
||
|
uint32_t maj, min;
|
||
|
+ char *escaped;
|
||
|
|
||
|
- value = apr_psprintf(req->pool, "FILE:%s/%s", dir, clientname);
|
||
|
+ /* We need to escape away '/', we can't have path separators in
|
||
|
+ * a ccache file name */
|
||
|
+ /* first double escape the esacping char (~) if any */
|
||
|
+ escaped = escape(req->pool, clientname, '~', "~~");
|
||
|
+ if (!escaped) return;
|
||
|
+ /* then escape away the separator (/) if any */
|
||
|
+ escaped = escape(req->pool, escaped, '/', "~");
|
||
|
+ if (!escaped) return;
|
||
|
+
|
||
|
+ value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped);
|
||
|
if (!value) {
|
||
|
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
|
||
|
"OOM storing delegated credentials");
|
||
|
--
|
||
|
2.1.0
|
||
|
|