mirror of
https://github.com/OpenFusionProject/OpenFusion.git
synced 2024-11-05 15:00:06 +00:00
Safe handling of TEGid/auth_id strings
This commit is contained in:
parent
c29899f2b9
commit
3c5eefd9c2
@ -40,6 +40,7 @@
|
||||
|
||||
// wrapper for U16toU8
|
||||
#define ARRLEN(x) (sizeof(x)/sizeof(*x))
|
||||
#define AUTOU8(x) std::string(x, ARRLEN(x))
|
||||
#define AUTOU16TOU8(x) U16toU8(x, ARRLEN(x))
|
||||
|
||||
// TODO: rewrite U16toU8 & U8toU16 to not use codecvt
|
||||
|
@ -109,18 +109,19 @@ void CNLoginServer::login(CNSocket* sock, CNPacketData* data) {
|
||||
|
||||
std::string userLogin;
|
||||
std::string userPassword;
|
||||
|
||||
/*
|
||||
* The std::string -> char* -> std::string maneuver should remove any
|
||||
* trailing garbage after the null terminator.
|
||||
*/
|
||||
if (isCookieAuth) {
|
||||
// username encoded in TEGid raw
|
||||
userLogin = std::string((char*)login->szCookie_TEGid);
|
||||
userLogin = std::string(AUTOU8((char*)login->szCookie_TEGid).c_str());
|
||||
|
||||
// clients that use web login but without proper cookies
|
||||
// send their passwords instead, so store that
|
||||
userPassword = std::string((char*)login->szCookie_authid);
|
||||
// N.B. clients that use web login without proper cookies
|
||||
// send their passwords in the cookie field
|
||||
userPassword = std::string(AUTOU8((char*)login->szCookie_authid).c_str());
|
||||
} else {
|
||||
/*
|
||||
* The std::string -> char* -> std::string maneuver should remove any
|
||||
* trailing garbage after the null terminator.
|
||||
*/
|
||||
userLogin = std::string(AUTOU16TOU8(login->szID).c_str());
|
||||
userPassword = std::string(AUTOU16TOU8(login->szPassword).c_str());
|
||||
}
|
||||
@ -171,7 +172,7 @@ void CNLoginServer::login(CNSocket* sock, CNPacketData* data) {
|
||||
}
|
||||
|
||||
if (isCookieAuth) {
|
||||
const char *cookie = reinterpret_cast<const char*>(login->szCookie_authid);
|
||||
const char *cookie = userPassword.c_str();
|
||||
if (!Database::checkCookie(findUser.AccountID, cookie))
|
||||
return loginFail(LoginError::ID_AND_PASSWORD_DO_NOT_MATCH, userLogin, sock);
|
||||
} else {
|
||||
|
Loading…
Reference in New Issue
Block a user