Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
icon4.gif   parse a correctly the username in save_user_config when using Webserver authentication, posted by Christof Hanke on Wed May 6 15:13:11 2015 parse_http_user_correctly.patch
    icon2.gif   Re: parse a correctly the username in save_user_config when using Webserver authentication, posted by Stefan Ritt on Tue Jun 9 15:44:49 2015 
Message ID: 67884     Entry time: Wed May 6 15:13:11 2015     Reply to this: 67976
Icon: Warning  Author: Christof Hanke  Author Email: hanke@rzg.mpg.de 
Category: Bug fix  OS: All  ELOG Version: 3.1.0 
Subject: parse a correctly the username in save_user_config when using Webserver authentication 

Hi Stefan,

 

When we use Webserver authentication, we have the correct username already in the variable http_user.

The old way of copying this http_user to "user" is wrong since we don't use the size of http_user.

Instead, just encode the http_user variable directly.

See attached patch against git HEAD.

Christof

 

Attachment 1: parse_http_user_correctly.patch  780 Bytes  | Hide | Hide all 
diff --git a/src/elogd.c b/src/elogd.c
index 601639c..de4734b 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -13142,12 +13142,13 @@ int save_user_config(LOGBOOK * lbs, char *user, BOOL new_user)
 
    /* if we outsourced the authentication, use external username */
    getcfg(lbs->name, "Authentication", str, sizeof(str));
-   if ( stristr(str, "Webserver")) {
-      strlcpy(user, http_user, sizeof(user));
-   }
 
    /* do not allow HTML in user name */
-   strencode2(user_enc, user, sizeof(user_enc));
+   if ( stristr(str, "Webserver")) {
+      strencode2(user_enc, http_user, sizeof(user_enc));
+   } else {
+      strencode2(user_enc, user, sizeof(user_enc));
+   }
 
    /* check for user name */
    if (!isparam("new_user_name") || *getparam("new_user_name") == 0) {
ELOG V3.1.5-fe60aaf