diff -urd cosign-1.9.4/cgi/cgi.c cosign-1.9.4b/cgi/cgi.c --- cosign-1.9.4/cgi/cgi.c 2005-11-01 18:07:38.000000000 -0500 +++ cosign-1.9.4b/cgi/cgi.c 2007-03-19 20:36:54.000000000 -0400 @@ -22,6 +22,7 @@ #include "config.h" #include "login.h" #include "subfile.h" +#include "mkcookie.h" #define SERVICE_MENU "/services/" #define LOOPWINDOW 30 @@ -309,7 +310,8 @@ goto loginscreen; } - if ( strlen( cookie ) < 120 ) { + len = strlen( cookie ); + if ( len < 120 || len > 1024 ) { goto loginscreen; } diff -urd cosign-1.9.4/cgi/network.c cosign-1.9.4b/cgi/network.c --- cosign-1.9.4/cgi/network.c 2005-05-13 16:19:46.000000000 -0400 +++ cosign-1.9.4b/cgi/network.c 2007-03-19 20:52:44.000000000 -0400 @@ -27,6 +27,7 @@ #include "argcargv.h" #include "cosigncgi.h" #include "network.h" +#include "mkcookie.h" static void (*logger)( char * ) = NULL; static struct timeval timeout = { 10 * 60, 0 }; @@ -162,6 +163,10 @@ { struct login_param lp; + if ( !validchars( cookie ) || !validchars( user )) { + return( -1 ); + } + lp.lp_cookie = cookie; lp.lp_ip = ip; lp.lp_user = user; @@ -325,6 +330,9 @@ { struct logout_param lp; + if ( !validchars( cookie )) { + return( -1 ); + } lp.lp_cookie = cookie; lp.lp_ip = ip; @@ -378,6 +386,10 @@ struct reg_param rp; + if ( !validchars( cookie ) || !validchars( scookie )) { + return( -1 ); + } + rp.rp_cookie = cookie; rp.rp_ip = ip; rp.rp_scookie = scookie; @@ -431,6 +443,10 @@ { static struct check_param cp; + if ( !validchars( cookie )) { + return( -1 ); + } + cp.cp_cookie = cookie; *cp.cp_user = '\0'; diff -urd cosign-1.9.4/common/mkcookie.c cosign-1.9.4b/common/mkcookie.c --- cosign-1.9.4/common/mkcookie.c 2005-11-01 12:15:52.000000000 -0500 +++ cosign-1.9.4b/common/mkcookie.c 2007-03-19 20:45:50.000000000 -0400 @@ -5,6 +5,54 @@ #include "fbase64.h" #include "mkcookie.h" +static char valid_tab[ 256 ] = { + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 1, 0, 1, 1, 0, /* '+' '-' '.' */ + 1, 1, 1, 1, 1, 1, 1, 1, /* '0' '1' '2' '3' '4' '5' '6' '7' */ + 1, 1, 0, 0, 0, 1, 0, 0, /* '8' '9' '=' */ + 1, 1, 1, 1, 1, 1, 1, 1, /* '@' 'A' 'B' 'C' 'D' 'E' 'F' 'G' */ + 1, 1, 1, 1, 1, 1, 1, 1, /* 'H' 'I' 'J' 'K' 'L' 'M' 'N' 'O' */ + 1, 1, 1, 1, 1, 1, 1, 1, /* 'P' 'Q' 'R' 'S' 'T' 'U' 'V' 'W' */ + 1, 1, 1, 0, 0, 0, 0, 1, /* 'X' 'Y' 'Z' '_' */ + 0, 1, 1, 1, 1, 1, 1, 1, /* 'a' 'b' 'c' 'd' 'e' 'f' 'g' */ + 1, 1, 1, 1, 1, 1, 1, 1, /* 'h' 'i' 'j' 'k' 'l' 'm' 'n' 'o' */ + 1, 1, 1, 1, 1, 1, 1, 1, /* 'p' 'q' 'r' 's' 't' 'u' 'v' 'w' */ + 1, 1, 1, 0, 0, 0, 0, 0, /* 'x' 'y' 'z' */ + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, +}; + + int +validchars( char *s ) +{ + char *p; + + for ( p = s; *p != '\0'; p++ ) { + if ( !valid_tab[ (unsigned char)*p ] ) { + return( 0 ); + } + } + return( 1 ); +} + int mkcookie( int len, char *buf ) { diff -urd cosign-1.9.4/common/mkcookie.h cosign-1.9.4b/common/mkcookie.h --- cosign-1.9.4/common/mkcookie.h 2005-11-01 12:15:52.000000000 -0500 +++ cosign-1.9.4b/common/mkcookie.h 2007-03-19 20:36:26.000000000 -0400 @@ -5,6 +5,7 @@ int mkcookie( int, char * ); int mkcookiepath( char *, int, char *, char *, int ); +int validchars( char * ); #define MAXCOOKIELEN 1024 diff -urd cosign-1.9.4/filters/apache/mod_cosign.c cosign-1.9.4b/filters/apache/mod_cosign.c --- cosign-1.9.4/filters/apache/mod_cosign.c 2005-11-11 16:50:47.000000000 -0500 +++ cosign-1.9.4b/filters/apache/mod_cosign.c 2007-03-19 20:42:28.000000000 -0400 @@ -304,6 +304,10 @@ goto set_cookie; } + if ( !validchars( my_cookie )) { + goto set_cookie; + } + /* * Validate cookie with backside server. If we already have a cached * version of the data, just verify the cookie's still valid. diff -urd cosign-1.9.4/filters/apache2/mod_cosign.c cosign-1.9.4b/filters/apache2/mod_cosign.c --- cosign-1.9.4/filters/apache2/mod_cosign.c 2005-11-08 23:16:25.000000000 -0500 +++ cosign-1.9.4b/filters/apache2/mod_cosign.c 2007-03-19 20:42:39.000000000 -0400 @@ -317,6 +317,10 @@ goto set_cookie; } + if ( !validchars( my_cookie )) { + goto set_cookie; + } + /* * Validate cookie with backside server. If we already have a cached * version of the data, just verify the cookie's still valid.