Actions
Bug #16922
openCaptive Portal authentication failures from usernames containing special characters or long strings can cause ambiguous or confusing log messages
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
26.07
Release Notes:
Default
Affected Version:
Affected Architecture:
Description
Captive Portal logs authentication events which end up in portalauth.log. If a login attempt contains a username with special characters, such as CR/LF, those are passed through to the log. That behavior lets the user submit usernames which may cause the log messages to be ambiguous or confusing.
The impact is minimal as these logs are only text and are not used for purposes other than recording events. The content of the logs is encoded before display so there is no risk of XSS.
A function was added in #16314 to cleanup usernames in this type of scenario, so leveraging that to address this minor issue is easy:
diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc
index 2035902cbc..7110ea838d 100644
--- a/src/etc/inc/captiveportal.inc
+++ b/src/etc/inc/captiveportal.inc
@@ -1185,6 +1185,7 @@ function captiveportal_get_last_activity($ip) {
/* part of this code from php.net */
function captiveportal_logportalauth($user, $mac, $ip, $status, $message = null) {
// Log it
+ $user = cleanup_invalid_username($user);
if (!$message) {
$message = "{$status}: {$user}, {$mac}, {$ip}";
} else {
Actions