Project

General

Profile

Actions

Bug #16922

open

Captive Portal authentication failures from usernames containing special characters or long strings can cause ambiguous or confusing log messages

Added by Jim Pingle 1 day ago. Updated 1 day ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
Captive Portal
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
26.07
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Captive Portal logs authentication events which end up in portalauth.log. If a login attempt contains a username with special characters, such as CR/LF, those are passed through to the log. That behavior lets the user submit usernames which may cause the log messages to be ambiguous or confusing.

The impact is minimal as these logs are only text and are not used for purposes other than recording events. The content of the logs is encoded before display so there is no risk of XSS.

A function was added in #16314 to cleanup usernames in this type of scenario, so leveraging that to address this minor issue is easy:

diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc
index 2035902cbc..7110ea838d 100644
--- a/src/etc/inc/captiveportal.inc
+++ b/src/etc/inc/captiveportal.inc
@@ -1185,6 +1185,7 @@ function captiveportal_get_last_activity($ip) {
 /* part of this code from php.net */
 function captiveportal_logportalauth($user, $mac, $ip, $status, $message = null) {
        // Log it
+       $user = cleanup_invalid_username($user);
        if (!$message) {
                $message = "{$status}: {$user}, {$mac}, {$ip}";
        } else {
Actions

Also available in: Atom PDF