quantum/nginx-krbauth
1
0
Fork 0
mirror of https://github.com/quantum5/nginx-krbauth.git synced 2025-07-27 04:04:14 -04:00
Code Issues Packages Projects Releases Wiki Activity

Reject insane usernames

Browse source
This commit is contained in:
Quantum 2025-07-20 18:53:07 -04:00
parent cfa4ff1c52
commit a308005e90
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
nginx_krbauth.py
View file

@ -4,6 +4,7 @@ import hashlib
import hmac import hmac
import logging import logging
import os import os
import re
import struct import struct
import time import time
from typing import Optional from typing import Optional
@ -154,6 +155,10 @@ def auth_spnego(context: Context, next_url: str) -> Response:
return auth_success(context, next_url) return auth_success(context, next_url)
def is_sane_username(username: str) -> bool:
return len(username) <= 64 and re.match(r'^[a-zA-Z0-9._@-]+$', username) is not None
def auth_basic(context: Context, next_url: str) -> Response: def auth_basic(context: Context, next_url: str) -> Response:
try: try:
token = base64.b64decode(request.headers['Authorization'][6:]) token = base64.b64decode(request.headers['Authorization'][6:])
@ -161,8 +166,8 @@ def auth_basic(context: Context, next_url: str) -> Response:
except (binascii.Error, UnicodeDecodeError): except (binascii.Error, UnicodeDecodeError):
return Response(status=400) return Response(status=400)
if not username or not password: if not username or not is_sane_username(username) or not password:
return make_401('Invalid username or password') return make_401('Authentication failed')
assert LDAP_USER_DN is not None assert LDAP_USER_DN is not None
dn = LDAP_USER_DN % (username,) dn = LDAP_USER_DN % (username,)