Bugs #797, #485: Add invalid character checks to user names, add invalid char ':'

2025-03-13 12:58:17 +03:00 · 2011-09-13 17:50:45 +02:00 · 2011-09-13 17:50:45 +02:00 · f2a45ed139
commit f2a45ed139
parent 6058460284
5 changed files with 39 additions and 22 deletions
--- a/include/User.h
+++ b/include/User.h
@ -34,7 +34,7 @@ public:
    /**
     *  Characters that can not be in a password
     */
-    static const string NO_PASSWD_CHARS;
+    static const string INVALID_CHARS;

    /**
     * Function to print the User object into a string in XML format
@ -78,31 +78,52 @@ public:
    };

    /**
-     *  Checks if a password is valid.
-     *    @param passwd to be checked
-     *    @return true if the password is valid
+     *  Checks if a name or password is valid, i.e. it is not empty and does not
+     *  contain invalid characters.
+     *    @param str Name or password to be checked
+     *    @param error_str Returns the error reason, if any
+     *    @return true if the string is valid
     */
-    static bool is_valid_password(const string& passwd)
+    static bool is_valid(const string& str, string& error_str)
    {
-        return passwd.find_first_of(NO_PASSWD_CHARS) == string::npos;
+        if ( str.empty() )
+        {
+            error_str = "cannot be empty";
+            return false;
+        }
+
+        size_t pos = str.find_first_of(INVALID_CHARS);
+
+        if ( pos != string::npos )
+        {
+            ostringstream oss;
+            oss << "character '" << str.at(pos) << "' is not allowed";
+
+            error_str = oss.str();
+            return false;
+        }
+
+        return true;
    }

    /**
     *  Sets user password. It checks that the new password does not contain
     *  forbidden chars.
     *    @param _password the new pass
+     *    @param error_str Returns the error reason, if any
     *    @returns -1 if the password is not valid
     */
-    int set_password(const string& passwd)
+    int set_password(const string& passwd, string& error_str)
    {
        int rc = 0;

-        if (is_valid_password(passwd))
+        if (is_valid(passwd, error_str))
        { 
            password = passwd;
        }
        else
        {
+            error_str = string("Invalid password: ").append(error_str);
            rc = -1;
        }

--- a/src/rm/RequestManagerUser.cc
+++ b/src/rm/RequestManagerUser.cc
@ -61,16 +61,12 @@ int UserChangePassword::user_action(User * user,

    string new_pass = xmlrpc_c::value_string(paramList.getString(2));

-    int rc = user->set_password(new_pass);
+    int rc = user->set_password(new_pass, error_str);

    if ( rc == 0 )
    {
        pool->update(user);
    }
-    else
-    {
-        error_str = "Invalid password, it can not contain spaces.";
-    }

    user->unlock();

--- a/src/um/User.cc
+++ b/src/um/User.cc
@ -27,7 +27,7 @@
 #include "Group.h"


-const string User::NO_PASSWD_CHARS = " \t\n\v\f\r";
+const string User::INVALID_CHARS = " :\t\n\v\f\r";

 /* ************************************************************************** */
 /* User :: Database Access Functions                                          */
--- a/src/um/UserPool.cc
+++ b/src/um/UserPool.cc
@ -136,12 +136,12 @@ int UserPool::allocate (

    ostringstream   oss;

-    if (password.empty() || !User::is_valid_password(password))
+    if ( !User::is_valid(password, error_str) )
    {
        goto error_pass;
    }

-    if ( uname.empty() )
+    if ( !User::is_valid(uname, error_str) )
    {
        goto error_name;
    }
@ -182,11 +182,11 @@ int UserPool::allocate (
    return *oid;

 error_pass:
-    oss << "Invalid password, it can not contain spaces.";
+    oss << "Invalid password, " << error_str << ".";
    goto error_common;

 error_name:
-    oss << "NAME cannot be empty.";
+    oss << "Invalid NAME, " << error_str << ".";
    goto error_common;

 error_duplicated:
--- a/src/um/test/UserPoolTest.cc
+++ b/src/um/test/UserPoolTest.cc
@ -31,10 +31,10 @@ const string usernames[] = { "A_user", "B_user", "C_user", "D_user", "E_user" };
 const string passwords[] = { "A_pass", "B_pass", "C_pass", "D_pass", "E_pass" };

 const string dump_result =
-    "<USER_POOL><USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>one_user_test</NAME><PASSWORD>5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>1</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>a</NAME><PASSWORD>p</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>2</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>a name</NAME><PASSWORD>pass</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>3</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>a_name</NAME><PASSWORD>password</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>4</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>another name</NAME><PASSWORD>secret</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>5</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>user</NAME><PASSWORD>1234</PASSWORD><ENABLED>1</ENABLED></USER></USER_POOL>";
+    "<USER_POOL><USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>one_user_test</NAME><PASSWORD>5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>1</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>a</NAME><PASSWORD>p</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>2</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>a_name</NAME><PASSWORD>pass</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>3</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>a_name_2</NAME><PASSWORD>password</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>4</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>another_name</NAME><PASSWORD>secret</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>5</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>user</NAME><PASSWORD>1234</PASSWORD><ENABLED>1</ENABLED></USER></USER_POOL>";

 const string dump_where_result =
-    "<USER_POOL><USER><ID>1</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>a</NAME><PASSWORD>p</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>2</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>a name</NAME><PASSWORD>pass</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>3</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>a_name</NAME><PASSWORD>password</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>4</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>another name</NAME><PASSWORD>secret</PASSWORD><ENABLED>1</ENABLED></USER></USER_POOL>";
+    "<USER_POOL><USER><ID>1</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>a</NAME><PASSWORD>p</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>2</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>a_name</NAME><PASSWORD>pass</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>3</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>a_name_2</NAME><PASSWORD>password</PASSWORD><ENABLED>1</ENABLED></USER><USER><ID>4</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>another_name</NAME><PASSWORD>secret</PASSWORD><ENABLED>1</ENABLED></USER></USER_POOL>";

 #include "NebulaTest.h"

@ -313,7 +313,7 @@ public:

    void dump()
    {
-        string d_names[] = {"a", "a name", "a_name", "another name", "user"};
+        string d_names[] = {"a", "a_name", "a_name_2", "another_name", "user"};
        string d_pass[]  = {"p", "pass", "password", "secret", "1234"};

        int oid;
@ -340,7 +340,7 @@ public:

    void dump_where()
    {
-        string d_names[] = {"a", "a name", "a_name", "another name", "user"};
+        string d_names[] = {"a", "a_name", "a_name_2", "another_name", "user"};
        string d_pass[]  = {"p", "pass", "password", "secret", "1234"};

        int oid;