mirror of
https://github.com/m1ngsama/TNT.git
synced 2026-02-08 00:54:03 +00:00
m1ngsama
4f3a07c5e2
- Add is_valid_username() function to prevent injection attacks
* Reject shell metacharacters: |;&$`<>(){}[]'"\
* Reject control characters (except tab)
* Reject usernames starting with space, dot, or dash
- Apply username validation in read_username() with fallback to "anonymous"
- Add rate limiting via sleep(1) on validation failure
- Sanitize message content in message_save():
* Replace pipe, newline, carriage return to prevent log injection
* Ensure null termination of sanitized strings
- Enhance message_load() validation:
* Check for oversized lines
* Validate field lengths before copying
* Validate timestamp reasonableness (not >1 day future, <10 years past)
* Ensure null termination of all loaded strings
These changes address:
- Username injection vulnerabilities
- Message content injection in log files
- Log file format corruption attacks
- Malformed timestamp handling
Prevents:
- Command injection via usernames
- Log poisoning attacks
- DoS via oversized messages
|
||
|---|---|---|
| .. | ||
| .gitkeep | ||
| chat_room.c | ||
| main.c | ||
| message.c | ||
| ssh_server.c | ||
| tui.c | ||
| utf8.c | ||