lib/util: Add functions to escape log lines but not break all non-ascii

We do not want to turn every non-ascii username into a pile of hex, so we instead focus
on avoding newline insertion attacks and other low control chars

Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

6 files changed, 251 insertions, 1 deletions

diff --git a/lib/util/tests/util_str_escape.c b/lib/util/tests/util_str_escape.c
new file mode 100644
index 00000000000..82e2209ef55
--- /dev/null
+++ b/lib/util/tests/util_str_escape.c
@@ -0,0 +1,90 @@
+/*
+
+   util_str_escape testing
+
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "torture/torture.h"
+#include "torture/local/proto.h"
+#include "lib/util/util_str_escape.h"
+
+static bool test_log_escape_empty_string(struct torture_context *tctx)
+{
+	char *result = log_escape( tctx, "");
+	torture_assert_str_equal(tctx, result, "", "Empty string handling");
+	return true;
+}
+
+static bool test_log_escape_null_string(struct torture_context *tctx)
+{
+	char *result = log_escape( tctx, NULL);
+	torture_assert(tctx, (result == NULL), "Empty string handling");
+	return true;
+}
+
+static bool test_log_escape_plain_string(struct torture_context *tctx)
+{
+	const char *input    = "a plain string with no escapable characters";
+	const char *expected = "a plain string with no escapable characters";
+
+	char *result = log_escape( tctx, input);
+	torture_assert_str_equal(tctx, result, expected,
+				 "Plain string handling");
+	return true;
+}
+
+static bool test_log_escape_string(struct torture_context *tctx)
+{
+	const char *input    = "\a\b\f\n\r\t\v\\\x01";
+	const char *expected = "\\a\\b\\f\\n\\r\\t\\v\\\\\\x01";
+
+	char *result = log_escape( tctx, input);
+	torture_assert_str_equal(tctx, result, expected,
+				 "Escapable characters in string");
+	return true;
+}
+
+static bool test_log_escape_hex_string(struct torture_context *tctx)
+{
+	const char *input    = "\x01\x1F ";
+	const char *expected = "\\x01\\x1F ";
+
+	char *result = log_escape( tctx, input);
+	torture_assert_str_equal(tctx, result, expected,
+				 "hex escaping");
+	return true;
+}
+struct torture_suite *torture_local_util_str_escape(TALLOC_CTX *mem_ctx)
+{
+	struct torture_suite *suite = torture_suite_create(mem_ctx,
+							   "util_str_escape");
+
+	torture_suite_add_simple_test(suite, "log_escape_empty_string",
+				      test_log_escape_empty_string);
+	torture_suite_add_simple_test(suite, "log_escape_null_string",
+				      test_log_escape_null_string);
+	torture_suite_add_simple_test(suite, "log_escape_plain_string",
+				      test_log_escape_plain_string);
+	torture_suite_add_simple_test(suite, "log_escape_string",
+				      test_log_escape_string);
+	torture_suite_add_simple_test(suite, "log_escape_hex_string",
+				      test_log_escape_hex_string);
+
+
+	return suite;
+}
diff --git a/lib/util/util_str_escape.c b/lib/util/util_str_escape.c
new file mode 100644
index 00000000000..93cdd8de4a8
--- /dev/null
+++ b/lib/util/util_str_escape.c
@@ -0,0 +1,126 @@
+/*
+   Samba string escaping routines
+
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "lib/util/util_str_escape.h"
+
+
+/*
+ * Calculate the encoded length of a character for log_escape
+ *
+ */
+static size_t encoded_length(char c)
+{
+	if (c != '\\' &&  c > 0x1F) {
+		return 1;
+	} else {
+		switch (c) {
+		case '\a':
+		case '\b':
+		case '\f':
+		case '\n':
+		case '\r':
+		case '\t':
+		case '\v':
+		case '\\':
+			return 2;  /* C escape sequence */
+		default:
+			return 4;  /* hex escape \xhh   */
+		}
+	}
+}
+
+/*
+ * Escape any control characters in the inputs to prevent them from
+ * interfering with the log output.
+ */
+char *log_escape(TALLOC_CTX *frame, const char *in)
+{
+	size_t size = 0;        /* Space to allocate for the escaped data */
+	char *encoded = NULL;   /* The encoded string                     */
+	const char *c;
+	char *e;
+
+	if (in == NULL) {
+		return NULL;
+	}
+
+	/* Calculate the size required for the escaped array */
+	c = in;
+	while (*c) {
+		size += encoded_length( *c);
+		c++;
+	}
+	size++;
+
+	encoded = talloc_array( frame, char, size);
+	if (encoded == NULL) {
+		DBG_ERR( "Out of memory allocating encoded string");
+		return NULL;
+	}
+
+	c = in;
+	e = encoded;
+	while (*c) {
+		if (*c != '\\' && *c > 0x1F) {
+			*e++ = *c++;
+		} else {
+			switch (*c) {
+			case '\a':
+				*e++ = '\\';
+				*e++ = 'a';
+				break;
+			case '\b':
+				*e++ = '\\';
+				*e++ = 'b';
+				break;
+			case '\f':
+				*e++ = '\\';
+				*e++ = 'f';
+				break;
+			case '\n':
+				*e++ = '\\';
+				*e++ = 'n';
+				break;
+			case '\r':
+				*e++ = '\\';
+				*e++ = 'r';
+				break;
+			case '\t':
+				*e++ = '\\';
+				*e++ = 't';
+				break;
+			case '\v':
+				*e++ = '\\';
+				*e++ = 'v';
+				break;
+			case '\\':
+				*e++ = '\\';
+				*e++ = '\\';
+				break;
+			default:
+				snprintf(e, 5, "\\x%02X", *c);
+				e += 4;
+			}
+			c++;
+		}
+	}
+	*e = '\0';
+	return encoded;
+}
diff --git a/lib/util/util_str_escape.h b/lib/util/util_str_escape.h
new file mode 100644
index 00000000000..0b4c5964c14
--- /dev/null
+++ b/lib/util/util_str_escape.h
@@ -0,0 +1,27 @@
+/*
+   Samba string escaping routines
+
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _SAMBA_UTIL_STR_ESCAPE_H
+#define _SAMBA_UTIL_STR_ESCAPE_H
+
+#include <talloc.h>
+
+char *log_escape(TALLOC_CTX *frame, const char *in);
+
+#endif
diff --git a/lib/util/wscript_build b/lib/util/wscript_build
index bd3cc62da85..91505eb1b44 100644
--- a/lib/util/wscript_build
+++ b/lib/util/wscript_build
@@ -204,3 +204,8 @@ else:
                         source='access.c',
                         deps='interfaces samba-util',
                         local_include=False)
+
+    bld.SAMBA_SUBSYSTEM('util_str_escape',
+                        source='util_str_escape.c',
+                        deps='talloc',
+                        local_include=False)
diff --git a/source4/torture/local/local.c b/source4/torture/local/local.c
index 6641f211cff..89066c5f52f 100644
--- a/source4/torture/local/local.c
+++ b/source4/torture/local/local.c
@@ -74,6 +74,7 @@
 	torture_local_verif_trailer,
 	torture_local_nss,
 	torture_local_fsrvp,
+	torture_local_util_str_escape,
 	NULL
 };
 
diff --git a/source4/torture/local/wscript_build b/source4/torture/local/wscript_build
index 087b842141d..2f1a7c8415e 100644
--- a/source4/torture/local/wscript_build
+++ b/source4/torture/local/wscript_build
@@ -20,11 +20,12 @@ TORTURE_LOCAL_SOURCE = '''../../../lib/util/charset/tests/iconv.c
 	../../../lib/util/tests/strv.c
 	../../../lib/util/tests/strv_util.c
 	../../../lib/util/tests/util.c
+	../../../lib/util/tests/util_str_escape.c
 	verif_trailer.c
 	nss_tests.c
 	fsrvp_state.c'''
 
-TORTURE_LOCAL_DEPS = 'RPC_NDR_ECHO TDR LIBCLI_SMB MESSAGING iconv POPT_CREDENTIALS TORTURE_AUTH TORTURE_UTIL TORTURE_NDR TORTURE_LIBCRYPTO share torture_registry PROVISION ldb samdb replace-test RPC_FSS_STATE'
+TORTURE_LOCAL_DEPS = 'RPC_NDR_ECHO TDR LIBCLI_SMB MESSAGING iconv POPT_CREDENTIALS TORTURE_AUTH TORTURE_UTIL TORTURE_NDR TORTURE_LIBCRYPTO share torture_registry PROVISION ldb samdb replace-test RPC_FSS_STATE util_str_escape'
 
 bld.SAMBA_MODULE('TORTURE_LOCAL',
 	source=TORTURE_LOCAL_SOURCE,