search

CyberNinjas / pam_aad

Azure Active Directory PAM Module
GNU General Public License v3.0
55 stars 19 forks source link

Normalize input before comparing #55

Open neverrend opened 4 years ago

neverrend commented 4 years ago 
STATIC int verify_user(jwt_t * jwt, const char *username)
{
    const char *upn = jwt_get_grant(jwt, "upn");
    return (strcmp(upn, username) == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
}

We are accepting input from two sources without normalizing either. I.E. if John Doe was in AAD as Jdoe@example.com he would have to auth via a service with Jdoe instead of being able to use jdoe. The strcmp will fail every time due to this even though the user exists and is valid. Will push a PR to fix.