From 9b4afad6f4be212474809533ec2c280cce86501a Mon Sep 17 00:00:00 2001
From: Florian Zschocke <f.zschocke+git@gmail.com>
Date: Sun, 13 Mar 2022 18:03:17 +0100
Subject: fix: Fix StoredUserConfig not escaping control characters

The `StoredUserConfig` only escaped the escape character, i.e. backslash.
But it does not escape control characters like tab or newline. This
introduces a vulnerability where an attacker can create new entries
in their user account and create new accounts.
In addition, other characters are also not properly handled. Field values
with a comment character need to be quoted. This only happens for the
`#` character and only when the value starts with it. Also the quote
is note escaped in values.

This change completely rewrites the `escape` method of `StoredUserConfig`.
It takes care of properly escaping characters that need escaping for the
git configuration file format.

This fixes #1410
---
 src/main/java/com/gitblit/StoredUserConfig.java | 45 +++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 3 deletions(-)

(limited to 'src/main/java/com/gitblit')

diff --git a/src/main/java/com/gitblit/StoredUserConfig.java b/src/main/java/com/gitblit/StoredUserConfig.java
index 63e1015c..c8f93b20 100644
--- a/src/main/java/com/gitblit/StoredUserConfig.java
+++ b/src/main/java/com/gitblit/StoredUserConfig.java
@@ -89,9 +89,48 @@ public class StoredUserConfig {
 	}
 
 	private static String escape(String value) {
-		String fixedValue = '#' == value.charAt(0) ? "\"" + value + "\"" : value;
-		fixedValue = fixedValue.replace("\\", "\\\\");
-		return fixedValue;
+		boolean quoteIt = false;
+		StringBuilder fixedValue = new StringBuilder(value.length() + 20);
+
+		for (char c : value.toCharArray()) {
+			switch (c) {
+				case '\n':
+					fixedValue.append("\\n");
+					break;
+
+				case '\t':
+					fixedValue.append("\\t");
+					break;
+
+				case '\b':
+					fixedValue.append("\\b");
+					break;
+
+				case '\\':
+					fixedValue.append("\\\\");
+					break;
+
+				case '"':
+					fixedValue.append("\\\"");
+					break;
+
+				case ';':
+				case '#':
+					quoteIt = true;
+					fixedValue.append(c);
+					break;
+
+				default:
+					fixedValue.append(c);
+					break;
+			}
+		}
+
+		if (quoteIt) {
+			fixedValue.insert(0,"\"");
+			fixedValue.append("\"");
+		}
+		return fixedValue.toString();
 	}
 
 	private static String generateKey(String key, String subKey) {
-- 
cgit v1.2.3