summaryrefslogtreecommitdiffstats
path: root/src/main/java/com/gitblit
diff options
context:
space:
mode:
authorFlorian Zschocke <f.zschocke+git@gmail.com>2022-03-13 18:03:17 +0100
committerFlorian Zschocke <f.zschocke+git@gmail.com>2022-03-13 18:03:17 +0100
commit9b4afad6f4be212474809533ec2c280cce86501a (patch)
tree9dbdc1fe354efc77330589a52b75aedb49ab1428 /src/main/java/com/gitblit
parent16ec6d07c58356d9b20652b5ae168ae9f0fd2eaa (diff)
downloadgitblit-9b4afad6f4be212474809533ec2c280cce86501a.tar.gz
gitblit-9b4afad6f4be212474809533ec2c280cce86501a.zip
fix: Fix StoredUserConfig not escaping control characters
The `StoredUserConfig` only escaped the escape character, i.e. backslash. But it does not escape control characters like tab or newline. This introduces a vulnerability where an attacker can create new entries in their user account and create new accounts. In addition, other characters are also not properly handled. Field values with a comment character need to be quoted. This only happens for the `#` character and only when the value starts with it. Also the quote is note escaped in values. This change completely rewrites the `escape` method of `StoredUserConfig`. It takes care of properly escaping characters that need escaping for the git configuration file format. This fixes #1410
Diffstat (limited to 'src/main/java/com/gitblit')
-rw-r--r--src/main/java/com/gitblit/StoredUserConfig.java45
1 files changed, 42 insertions, 3 deletions
diff --git a/src/main/java/com/gitblit/StoredUserConfig.java b/src/main/java/com/gitblit/StoredUserConfig.java
index 63e1015c..c8f93b20 100644
--- a/src/main/java/com/gitblit/StoredUserConfig.java
+++ b/src/main/java/com/gitblit/StoredUserConfig.java
@@ -89,9 +89,48 @@ public class StoredUserConfig {
}
private static String escape(String value) {
- String fixedValue = '#' == value.charAt(0) ? "\"" + value + "\"" : value;
- fixedValue = fixedValue.replace("\\", "\\\\");
- return fixedValue;
+ boolean quoteIt = false;
+ StringBuilder fixedValue = new StringBuilder(value.length() + 20);
+
+ for (char c : value.toCharArray()) {
+ switch (c) {
+ case '\n':
+ fixedValue.append("\\n");
+ break;
+
+ case '\t':
+ fixedValue.append("\\t");
+ break;
+
+ case '\b':
+ fixedValue.append("\\b");
+ break;
+
+ case '\\':
+ fixedValue.append("\\\\");
+ break;
+
+ case '"':
+ fixedValue.append("\\\"");
+ break;
+
+ case ';':
+ case '#':
+ quoteIt = true;
+ fixedValue.append(c);
+ break;
+
+ default:
+ fixedValue.append(c);
+ break;
+ }
+ }
+
+ if (quoteIt) {
+ fixedValue.insert(0,"\"");
+ fixedValue.append("\"");
+ }
+ return fixedValue.toString();
}
private static String generateKey(String key, String subKey) {