Safe handling of TEGid/auth_id strings

This commit is contained in:
Gent Semaj 2024-09-05 22:56:58 -04:00
parent c29899f2b9
commit 3c5eefd9c2
Signed by untrusted user: ycc
GPG Key ID: 2D76C57BF6BEADC4
2 changed files with 11 additions and 9 deletions

View File

@ -40,6 +40,7 @@
// wrapper for U16toU8
#define ARRLEN(x) (sizeof(x)/sizeof(*x))
#define AUTOU8(x) std::string(x, ARRLEN(x))
#define AUTOU16TOU8(x) U16toU8(x, ARRLEN(x))
// TODO: rewrite U16toU8 & U8toU16 to not use codecvt

View File

@ -109,18 +109,19 @@ void CNLoginServer::login(CNSocket* sock, CNPacketData* data) {
std::string userLogin;
std::string userPassword;
/*
* The std::string -> char* -> std::string maneuver should remove any
* trailing garbage after the null terminator.
*/
if (isCookieAuth) {
// username encoded in TEGid raw
userLogin = std::string((char*)login->szCookie_TEGid);
userLogin = std::string(AUTOU8((char*)login->szCookie_TEGid).c_str());
// clients that use web login but without proper cookies
// send their passwords instead, so store that
userPassword = std::string((char*)login->szCookie_authid);
// N.B. clients that use web login without proper cookies
// send their passwords in the cookie field
userPassword = std::string(AUTOU8((char*)login->szCookie_authid).c_str());
} else {
/*
* The std::string -> char* -> std::string maneuver should remove any
* trailing garbage after the null terminator.
*/
userLogin = std::string(AUTOU16TOU8(login->szID).c_str());
userPassword = std::string(AUTOU16TOU8(login->szPassword).c_str());
}
@ -171,7 +172,7 @@ void CNLoginServer::login(CNSocket* sock, CNPacketData* data) {
}
if (isCookieAuth) {
const char *cookie = reinterpret_cast<const char*>(login->szCookie_authid);
const char *cookie = userPassword.c_str();
if (!Database::checkCookie(findUser.AccountID, cookie))
return loginFail(LoginError::ID_AND_PASSWORD_DO_NOT_MATCH, userLogin, sock);
} else {