New config option DisallowLoginCall to reject logins by glob match
This commit is contained in:
Heikki Hannikainen
parent
be7784197a
commit
8875cfb8fd
|
|
@ -566,7 +566,7 @@ static int check_call_prefix_match(char **set, const char *call, int len)
|
||||||
}
|
}
|
||||||
|
|
||||||
#define MAX_TEST_CALL_LEN 32
|
#define MAX_TEST_CALL_LEN 32
|
||||||
static int check_call_glob_match(char **set, const char *call, int len)
|
int check_call_glob_match(char **set, const char *call, int len)
|
||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
char ts[MAX_TEST_CALL_LEN+1];
|
char ts[MAX_TEST_CALL_LEN+1];
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,7 @@ extern const char *inerr_labels[];
|
||||||
|
|
||||||
extern int check_invalid_src_dst(const char *call, int len);
|
extern int check_invalid_src_dst(const char *call, int len);
|
||||||
extern int check_call_match(const char **set, const char *call, int len);
|
extern int check_call_match(const char **set, const char *call, int len);
|
||||||
|
extern int check_call_glob_match(char **set, const char *call, int len);
|
||||||
extern int check_path_calls(const char *via_start, const char *path_end);
|
extern int check_path_calls(const char *via_start, const char *path_end);
|
||||||
|
|
||||||
extern void incoming_flush(struct worker_t *self);
|
extern void incoming_flush(struct worker_t *self);
|
||||||
|
|
|
||||||
17
src/login.c
17
src/login.c
|
|
@ -45,6 +45,8 @@ static const char *quirks_mode_blacklist[] = {
|
||||||
/*
|
/*
|
||||||
* Parse the login string in a HTTP POST or UDP submit packet
|
* Parse the login string in a HTTP POST or UDP submit packet
|
||||||
* Argh, why are these not in standard POST parameters in HTTP?
|
* Argh, why are these not in standard POST parameters in HTTP?
|
||||||
|
*
|
||||||
|
* TODO: Used for UDP too, so should not say HTTP in log errors...
|
||||||
*/
|
*/
|
||||||
|
|
||||||
int http_udp_upload_login(const char *addr_rem, char *s, char **username)
|
int http_udp_upload_login(const char *addr_rem, char *s, char **username)
|
||||||
|
|
@ -84,6 +86,12 @@ int http_udp_upload_login(const char *addr_rem, char *s, char **username)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* check the username against a dynamic list of disallowed usernames */
|
||||||
|
if (disallow_login_glob && check_call_glob_match(disallow_login_glob, *username, username_len)) {
|
||||||
|
hlog(LOG_WARNING, "%s: HTTP POST: Login by user '%s' not allowed due to config", addr_rem, *username);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
/* make sure the callsign is OK on the APRS-IS */
|
/* make sure the callsign is OK on the APRS-IS */
|
||||||
if (check_invalid_q_callsign(*username, username_len)) {
|
if (check_invalid_q_callsign(*username, username_len)) {
|
||||||
hlog(LOG_WARNING, "%s: HTTP POST: Invalid login string, invalid 'user': '%s'", addr_rem, *username);
|
hlog(LOG_WARNING, "%s: HTTP POST: Invalid login string, invalid 'user': '%s'", addr_rem, *username);
|
||||||
|
|
@ -254,10 +262,17 @@ int login_handler(struct worker_t *self, struct client_t *c, int l4proto, char *
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* check the username against a dynamic list of disallowed usernames */
|
||||||
|
if (disallow_login_glob && check_call_glob_match(disallow_login_glob, c->username, c->username_len)) {
|
||||||
|
hlog(LOG_WARNING, "%s: Login by user '%s' not allowed due to config", c->addr_rem, c->username);
|
||||||
|
rc = client_printf(self, c, "# Login by user not allowed\r\n");
|
||||||
|
goto failed_login;
|
||||||
|
}
|
||||||
|
|
||||||
/* make sure the callsign is OK on the APRS-IS */
|
/* make sure the callsign is OK on the APRS-IS */
|
||||||
if (check_invalid_q_callsign(c->username, c->username_len)) {
|
if (check_invalid_q_callsign(c->username, c->username_len)) {
|
||||||
hlog(LOG_WARNING, "%s: Invalid login string, invalid 'user': '%s'", c->addr_rem, c->username);
|
hlog(LOG_WARNING, "%s: Invalid login string, invalid 'user': '%s'", c->addr_rem, c->username);
|
||||||
rc = client_printf(self, c, "# Invalid username format\r\n");
|
rc = client_printf(self, c, "# Invalid username format, not allowed\r\n");
|
||||||
goto failed_login;
|
goto failed_login;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -86,5 +86,5 @@ FileLimit 10000
|
||||||
|
|
||||||
# Additional callsigns blocked
|
# Additional callsigns blocked
|
||||||
DisallowSourceCall N7CALL N8CALL* *DROP DRG* OH?DRU O*ZZZ
|
DisallowSourceCall N7CALL N8CALL* *DROP DRG* OH?DRU O*ZZZ
|
||||||
DisallowLoginCall LOGINB LOGINC
|
DisallowLoginCall LOGINA LOGINB *prrej mi*rej sufre*
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -196,13 +196,17 @@ sub connect($;%)
|
||||||
while (my $l = $self->getline()) {
|
while (my $l = $self->getline()) {
|
||||||
#warn "login got: $l\n";
|
#warn "login got: $l\n";
|
||||||
return 1 if ($l =~ /^#\s+logresp\s+/);
|
return 1 if ($l =~ /^#\s+logresp\s+/);
|
||||||
|
if ($l =~ /^#\s+(.*)(not allowed|invalid)(.*)/i) {
|
||||||
|
$self->{'error'} = "Login rejected: $1$2$3";
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
if (time() - $t > 5) {
|
if (time() - $t > 5) {
|
||||||
$self->{'error'} = "Login command timed out";
|
$self->{'error'} = "Login command timed out";
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return 1;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
=head1 connected()
|
=head1 connected()
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue