diff options
author | Florian Zschocke <f.zschocke+git@gmail.com> | 2022-03-13 18:03:17 +0100 |
---|---|---|
committer | Florian Zschocke <f.zschocke+git@gmail.com> | 2022-03-13 18:03:17 +0100 |
commit | 9b4afad6f4be212474809533ec2c280cce86501a (patch) | |
tree | 9dbdc1fe354efc77330589a52b75aedb49ab1428 /src/main/java/com/gitblit | |
parent | 16ec6d07c58356d9b20652b5ae168ae9f0fd2eaa (diff) | |
download | gitblit-9b4afad6f4be212474809533ec2c280cce86501a.tar.gz gitblit-9b4afad6f4be212474809533ec2c280cce86501a.zip |
fix: Fix StoredUserConfig not escaping control characters
The `StoredUserConfig` only escaped the escape character, i.e. backslash.
But it does not escape control characters like tab or newline. This
introduces a vulnerability where an attacker can create new entries
in their user account and create new accounts.
In addition, other characters are also not properly handled. Field values
with a comment character need to be quoted. This only happens for the
`#` character and only when the value starts with it. Also the quote
is note escaped in values.
This change completely rewrites the `escape` method of `StoredUserConfig`.
It takes care of properly escaping characters that need escaping for the
git configuration file format.
This fixes #1410
Diffstat (limited to 'src/main/java/com/gitblit')
-rw-r--r-- | src/main/java/com/gitblit/StoredUserConfig.java | 45 |
1 files changed, 42 insertions, 3 deletions
diff --git a/src/main/java/com/gitblit/StoredUserConfig.java b/src/main/java/com/gitblit/StoredUserConfig.java index 63e1015c..c8f93b20 100644 --- a/src/main/java/com/gitblit/StoredUserConfig.java +++ b/src/main/java/com/gitblit/StoredUserConfig.java @@ -89,9 +89,48 @@ public class StoredUserConfig { } private static String escape(String value) { - String fixedValue = '#' == value.charAt(0) ? "\"" + value + "\"" : value; - fixedValue = fixedValue.replace("\\", "\\\\"); - return fixedValue; + boolean quoteIt = false; + StringBuilder fixedValue = new StringBuilder(value.length() + 20); + + for (char c : value.toCharArray()) { + switch (c) { + case '\n': + fixedValue.append("\\n"); + break; + + case '\t': + fixedValue.append("\\t"); + break; + + case '\b': + fixedValue.append("\\b"); + break; + + case '\\': + fixedValue.append("\\\\"); + break; + + case '"': + fixedValue.append("\\\""); + break; + + case ';': + case '#': + quoteIt = true; + fixedValue.append(c); + break; + + default: + fixedValue.append(c); + break; + } + } + + if (quoteIt) { + fixedValue.insert(0,"\""); + fixedValue.append("\""); + } + return fixedValue.toString(); } private static String generateKey(String key, String subKey) { |