challenger

OAuth 2.0-based authentication service that validates user can receive messages at a certain address
Log | Files | Refs | Submodules | README | LICENSE

commit 0e64991bd4ec572c9764a3a1545d80766908e0dc
parent e82650d8c692492257ab17417c5d3816e49d3870
Author: Christian Grothoff <grothoff@gnunet.org>
Date:   Mon, 13 Jul 2026 21:06:49 +0200

fail closed if regex spec is malformed, also require full match of regex to field contents

Diffstat:
Msrc/challenger/challenger-httpd_challenge.c | 37++++++++++++++++++++++++-------------
1 file changed, 24 insertions(+), 13 deletions(-)

diff --git a/src/challenger/challenger-httpd_challenge.c b/src/challenger/challenger-httpd_challenge.c @@ -586,21 +586,32 @@ check_restrictions (const json_t *address) "Invalid regex `%s' address restriction specified for `%s'\n", regex, key); - continue; + /* Fail closed: a restriction that cannot be compiled must not be + treated as "no restriction". */ + return key; } - if (0 != regexec (&re, - str, - 0, - NULL, - 0)) { - GNUNET_log (GNUNET_ERROR_TYPE_WARNING, - "Client input `%s' rejected as it does not match address restriction `%s' specified for `%s'\n", - str, - regex, - key); - regfree (&re); - return key; + regmatch_t m; + + /* Anchor the match: the pattern must match the ENTIRE value, not just a + substring, otherwise e.g. "[0-9]{4}" would accept any value that + merely contains four digits. */ + if ( (0 != regexec (&re, + str, + 1, + &m, + 0)) || + (0 != m.rm_so) || + ('\0' != str[m.rm_eo]) ) + { + GNUNET_log (GNUNET_ERROR_TYPE_WARNING, + "Client input `%s' rejected as it does not match address restriction `%s' specified for `%s'\n", + str, + regex, + key); + regfree (&re); + return key; + } } regfree (&re); }