2012/4/3 Theo de Raadt <[email protected]>:
> Hmm, I'd like to see that refactored somehow.
>
> Also, '-' should not be legal at the start of a login name. There
> are things that care. I think at the end it is OK, though.
>
> Crazy eh. Isn't there something else in libc that checks this?
New diff:
Index: login_yubikey.c
===================================================================
RCS file: /cvs/src/libexec/login_yubikey/login_yubikey.c,v
retrieving revision 1.4
diff -u -r1.4 login_yubikey.c
--- login_yubikey.c 1 Feb 2012 16:07:28 -0000 1.4
+++ login_yubikey.c 4 Apr 2012 13:23:01 -0000
@@ -36,6 +36,7 @@
#include <ctype.h>
#include <login_cap.h>
#include <pwd.h>
+#include <regex.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
@@ -165,12 +166,15 @@
static int
clean_string(const char *s)
{
- while (*s) {
- if (!isalnum(*s) && *s != '-' && *s != '_')
- return (0);
- ++s;
- }
- return (1);
+ char p[] = "^[0-9a-z_]+(($|[0-9a-z_-]$)|([0-9a-z\\._-]+[0-9a-z_-]$))";
+ int ret = 0;
+ regex_t r;
+
+ regcomp(&r,p,REG_EXTENDED);
+ if (regexec(&r,s,0,0,0) == 0)
+ ret = 1;
+ regfree(&r);
+ return (ret);
}
static int
