USER command: only allow alphanumeric characters in user name
authorAlexander Barton <alex@barton.de>
Fri, 1 Jun 2012 21:57:51 +0000 (23:57 +0200)
committerAlexander Barton <alex@barton.de>
Fri, 1 Jun 2012 21:57:51 +0000 (23:57 +0200)
Only alphanumeric characters are allowed in the user name, so terminate
the connection if any "strage" characters have been supplied by the user.

This is how other IRC daemons (like ircd2.11 and ircd-seven) behave ...

src/ngircd/irc-login.c

index 6c1c708a61d49532e29d8c86136228fb492e4af7..3fb1b902412118e2cad5b58bcae8af0dacec6379 100644 (file)
@@ -400,9 +400,7 @@ GLOBAL bool
 IRC_USER(CLIENT * Client, REQUEST * Req)
 {
        CLIENT *c;
-#ifdef IDENTAUTH
        char *ptr;
-#endif
 
        assert(Client != NULL);
        assert(Req != NULL);
@@ -420,7 +418,19 @@ IRC_USER(CLIENT * Client, REQUEST * Req)
                                                  Client_ID(Client),
                                                  Req->command);
 
-               /* User name */
+               /* User name: only alphanumeric characters are allowed! */
+               ptr = Req->argv[0];
+               while (*ptr) {
+                       if ((*ptr < '0' || *ptr > '9') &&
+                           (*ptr < 'A' || *ptr > 'Z') &&
+                           (*ptr < 'a' || *ptr > 'z')) {
+                               Conn_Close(Client_Conn(Client), NULL,
+                                          "Invalid user name", true);
+                               return DISCONNECTED;
+                       }
+                       ptr++;
+               }
+
 #ifdef IDENTAUTH
                ptr = Client_User(Client);
                if (!ptr || !*ptr || *ptr == '~')