challenger

OAuth 2.0-based authentication service that validates user can receive messages at a certain address
Log | Files | Refs | Submodules | README | LICENSE

commit 134ff3844a1d5cc043fedc8ab359643b246679d2
parent 1bf4878630654003cb89c9dd86cf0fe57d9ae976
Author: Christian Grothoff <grothoff@gnunet.org>
Date:   Wed, 15 Jul 2026 23:49:12 +0200

be more strict on client_id input validation

Diffstat:
Msrc/challenger/challenger-admin.c | 13++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/challenger/challenger-admin.c b/src/challenger/challenger-admin.c @@ -162,12 +162,15 @@ run (void *cls, unsigned long long row_id; char dummy; - if (1 != - sscanf (client_id, - "%llu%c", - &row_id, - &dummy)) + if ( (! isdigit ((unsigned char) client_id[0])) || + (1 != + sscanf (client_id, + "%llu%c", + &row_id, + &dummy)) ) { + /* Guard against the leading-sign / whitespace that strtoull (and thus + sscanf "%llu") would otherwise accept, so e.g. "-5" is rejected. */ fprintf (stderr, "CLIENT_ID must be a positive number\n"); global_ret = EXIT_INVALIDARGUMENT;