|
|
1c5238 |
From ace43c8ce02d19cf536ce35749aa2ed734089189 Mon Sep 17 00:00:00 2001
|
|
|
1c5238 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
1c5238 |
Date: Thu, 18 Aug 2022 13:55:21 +0200
|
|
|
1c5238 |
Subject: [PATCH 20/23] oidc_child: escape scopes
|
|
|
1c5238 |
MIME-Version: 1.0
|
|
|
1c5238 |
Content-Type: text/plain; charset=UTF-8
|
|
|
1c5238 |
Content-Transfer-Encoding: 8bit
|
|
|
1c5238 |
|
|
|
1c5238 |
Before using the user provided scopes in the HTTP request they should be
|
|
|
1c5238 |
properly escaped according to RFC-3986.
|
|
|
1c5238 |
|
|
|
1c5238 |
Resolves: https://github.com/SSSD/sssd/issues/6146
|
|
|
1c5238 |
|
|
|
1c5238 |
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
|
1c5238 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
1c5238 |
(cherry picked from commit 12d5c6344ee304c1f3bc155a76ab37fcd20e78cb)
|
|
|
1c5238 |
|
|
|
1c5238 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
1c5238 |
---
|
|
|
1c5238 |
src/oidc_child/oidc_child.c | 4 ++--
|
|
|
1c5238 |
src/oidc_child/oidc_child_curl.c | 35 ++++++++++++++++++++++++++++++++
|
|
|
1c5238 |
src/oidc_child/oidc_child_util.h | 2 ++
|
|
|
1c5238 |
3 files changed, 39 insertions(+), 2 deletions(-)
|
|
|
1c5238 |
|
|
|
1c5238 |
diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
|
|
|
1c5238 |
index e58afccd3..aeeac3595 100644
|
|
|
1c5238 |
--- a/src/oidc_child/oidc_child.c
|
|
|
1c5238 |
+++ b/src/oidc_child/oidc_child.c
|
|
|
1c5238 |
@@ -119,9 +119,9 @@ static errno_t set_endpoints(struct devicecode_ctx *dc_ctx,
|
|
|
1c5238 |
}
|
|
|
1c5238 |
|
|
|
1c5238 |
if (scope != NULL && *scope != '\0') {
|
|
|
1c5238 |
- dc_ctx->scope = talloc_strdup(dc_ctx, scope);
|
|
|
1c5238 |
+ dc_ctx->scope = url_encode_string(dc_ctx, scope);
|
|
|
1c5238 |
if (dc_ctx->scope == NULL) {
|
|
|
1c5238 |
- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy scopes.\n");
|
|
|
1c5238 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to encode and copy scopes.\n");
|
|
|
1c5238 |
ret = ENOMEM;
|
|
|
1c5238 |
goto done;
|
|
|
1c5238 |
}
|
|
|
1c5238 |
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
|
|
|
1c5238 |
index 20e17a566..df438e007 100644
|
|
|
1c5238 |
--- a/src/oidc_child/oidc_child_curl.c
|
|
|
1c5238 |
+++ b/src/oidc_child/oidc_child_curl.c
|
|
|
1c5238 |
@@ -26,6 +26,41 @@
|
|
|
1c5238 |
#include <curl/curl.h>
|
|
|
1c5238 |
#include "oidc_child/oidc_child_util.h"
|
|
|
1c5238 |
|
|
|
1c5238 |
+char *url_encode_string(TALLOC_CTX *mem_ctx, const char *inp)
|
|
|
1c5238 |
+{
|
|
|
1c5238 |
+ CURL *curl_ctx = NULL;
|
|
|
1c5238 |
+ char *tmp;
|
|
|
1c5238 |
+ char *out = NULL;
|
|
|
1c5238 |
+
|
|
|
1c5238 |
+ if (inp == NULL) {
|
|
|
1c5238 |
+ DEBUG(SSSDBG_TRACE_ALL, "Empty input.\n");
|
|
|
1c5238 |
+ return NULL;
|
|
|
1c5238 |
+ }
|
|
|
1c5238 |
+
|
|
|
1c5238 |
+ curl_ctx = curl_easy_init();
|
|
|
1c5238 |
+ if (curl_ctx == NULL) {
|
|
|
1c5238 |
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to initialize curl.\n");
|
|
|
1c5238 |
+ return NULL;
|
|
|
1c5238 |
+ }
|
|
|
1c5238 |
+
|
|
|
1c5238 |
+ tmp = curl_easy_escape(curl_ctx, inp, 0);
|
|
|
1c5238 |
+ if (tmp == NULL) {
|
|
|
1c5238 |
+ DEBUG(SSSDBG_TRACE_ALL, "curl_easy_escape failed for [%s].\n", inp);
|
|
|
1c5238 |
+ goto done;
|
|
|
1c5238 |
+ }
|
|
|
1c5238 |
+
|
|
|
1c5238 |
+ out = talloc_strdup(mem_ctx, tmp);
|
|
|
1c5238 |
+ curl_free(tmp);
|
|
|
1c5238 |
+ if (out == NULL) {
|
|
|
1c5238 |
+ DEBUG(SSSDBG_TRACE_ALL, "talloc_strdup failed.\n");
|
|
|
1c5238 |
+ goto done;
|
|
|
1c5238 |
+ }
|
|
|
1c5238 |
+
|
|
|
1c5238 |
+done:
|
|
|
1c5238 |
+ curl_easy_cleanup(curl_ctx);
|
|
|
1c5238 |
+ return (out);
|
|
|
1c5238 |
+}
|
|
|
1c5238 |
+
|
|
|
1c5238 |
/* The curl write_callback will always append the received data. To start a
|
|
|
1c5238 |
* new string call clean_http_data() before the curl request.*/
|
|
|
1c5238 |
void clean_http_data(struct devicecode_ctx *dc_ctx)
|
|
|
1c5238 |
diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h
|
|
|
1c5238 |
index c781bf1b1..ae5a72bc2 100644
|
|
|
1c5238 |
--- a/src/oidc_child/oidc_child_util.h
|
|
|
1c5238 |
+++ b/src/oidc_child/oidc_child_util.h
|
|
|
1c5238 |
@@ -61,6 +61,8 @@ struct devicecode_ctx {
|
|
|
1c5238 |
};
|
|
|
1c5238 |
|
|
|
1c5238 |
/* oidc_child_curl.c */
|
|
|
1c5238 |
+char *url_encode_string(TALLOC_CTX *mem_ctx, const char *inp);
|
|
|
1c5238 |
+
|
|
|
1c5238 |
errno_t init_curl(void *p);
|
|
|
1c5238 |
|
|
|
1c5238 |
void clean_http_data(struct devicecode_ctx *dc_ctx);
|
|
|
1c5238 |
--
|
|
|
1c5238 |
2.37.3
|
|
|
1c5238 |
|