CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

login cgi argument sanity checking

One of our users has discovered by accident that the login CGI will accept
a backslash in the username and will correctly authenticate to the KDC,
presumably because the backslash is regarded by the krb functions as just
quoting the following character. However, cosign retains the backslash in
the authenticated username and so the backslash appears in the REMOTE_USER
environment variable when it is read by mod_cosign.  This then affects

It doesn't look like cgi.c does any sanity checking of the login argument
that is passed to it from the html form.  It should probably check that
only alphanumeric characters are accepted (and perhaps / to allow for
non-default principals), though this might affect non-ascii usernames (do
people use multicharacter usernames?). What do people think?

Graeme Wood                                 Email: Graeme.Wood@xxxxxxxx
Unix Systems Support                        Phone: +44 131 650 5003
The University of Edinburgh                 Fax:   +44 131 650 6552

Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010