From a308005e900d338a90f7bce08f55b207f1c9345d Mon Sep 17 00:00:00 2001
From: Quantum <quantum2048@gmail.com>
Date: Sun, 20 Jul 2025 18:53:07 -0400
Subject: [PATCH] Reject insane usernames

---
 nginx_krbauth.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/nginx_krbauth.py b/nginx_krbauth.py
index 6d10023..2b43517 100644
--- a/nginx_krbauth.py
+++ b/nginx_krbauth.py
@@ -4,6 +4,7 @@ import hashlib
 import hmac
 import logging
 import os
+import re
 import struct
 import time
 from typing import Optional
@@ -154,6 +155,10 @@ def auth_spnego(context: Context, next_url: str) -> Response:
     return auth_success(context, next_url)
 
 
+def is_sane_username(username: str) -> bool:
+    return len(username) <= 64 and re.match(r'^[a-zA-Z0-9._@-]+$', username) is not None
+
+
 def auth_basic(context: Context, next_url: str) -> Response:
     try:
         token = base64.b64decode(request.headers['Authorization'][6:])
@@ -161,8 +166,8 @@ def auth_basic(context: Context, next_url: str) -> Response:
     except (binascii.Error, UnicodeDecodeError):
         return Response(status=400)
 
-    if not username or not password:
-        return make_401('Invalid username or password')
+    if not username or not is_sane_username(username) or not password:
+        return make_401('Authentication failed')
 
     assert LDAP_USER_DN is not None
     dn = LDAP_USER_DN % (username,)