security for PAM

2025-01-03 01:17:56 +03:00 · 2019-05-14 08:33:58 +02:00 · 2019-05-14 08:33:58 +02:00 · 4c001b044f
commit 4c001b044f
parent 70141ae972
1 changed files with 16 additions and 7 deletions
--- a/server/src/uds/dispatchers/pam/views.py
+++ b/server/src/uds/dispatchers/pam/views.py
@ -27,9 +27,9 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-'''
+"""
@author: Adolfo Gómez, dkmaster at dkmon dot com
-'''
+"""
 from __future__ import unicode_literals

 from django.http import HttpResponseNotAllowed, HttpResponse
@ -49,11 +49,20 @@ def pam(request):
        return HttpResponseNotAllowed(['GET'])
    if 'id' in request.GET and 'pass' in request.GET:
        # This is an "auth" request
-        logger.debug("Auth request for user [{0}] and pass [{1}]".format(request.GET['id'], request.GET['pass']))
-        password = TicketStore.get(request.GET['id'])
+        ids = request.GET.getlist('id')
        response = '0'
+        if len(ids) == 1:
+            userId = ids[0]
+            logger.debug("Auth request for user [{0}] and pass [{1}]".format(request.GET['id'], request.GET['pass']))
+            try:
+                password = TicketStore.get(userId)
                if password == request.GET['pass']:
                    response = '1'
+            except Exception:
+                # Non existing ticket, log it and stop
+                logger.info('Invalid access from {} using user {}'.format(request.ip, userId))
+        else:
+            logger.warn('Invalid request from {}: {}'.format(request.ip, [v for v in request.GET.lists()]))
            
    elif 'uid' in request.GET:
        # This is an "get name for id" call