github
/
teleport
mirror of https://github.com/tp4a/teleport
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

检查用户名合法性,防止SQL注入攻击

pull/130/head
Apex Liu 2018-11-26 17:40:48 +08:00
parent f91d092b87
commit f6996326de
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
server/www/teleport/webroot/app/controller/auth.py
View File

@ -107,15 +107,20 @@ class DoLoginHandler(TPBaseJsonHandler):
]: ]:
oath = None oath = None
# 检查用户名合法性防止SQL注入攻击
if '<' in username or '>' in username:
username = username.replace('<', '&lt;')
username = username.replace('>', '&gt;')
err = TPE_USER_AUTH
syslog.sys_log({'username': '???', 'surname': '???'}, self.request.remote_ip, TPE_NOT_EXISTS, '登录失败,可能是攻击行为。试图使用用户名 {} 进行登录。'.format(username))
return self.write_json(err)
err, user_info = user.login(self, username, password=password, oath_code=oath) err, user_info = user.login(self, username, password=password, oath_code=oath)
if err != TPE_OK: if err != TPE_OK:
if err == TPE_NOT_EXISTS: if err == TPE_NOT_EXISTS:
err = TPE_USER_AUTH err = TPE_USER_AUTH
syslog.sys_log({'username': username, 'surname': username}, self.request.remote_ip, TPE_NOT_EXISTS, syslog.sys_log({'username': '???', 'surname': '???'}, self.request.remote_ip, TPE_NOT_EXISTS, '登录失败,用户`{}`不存在'.format(username))
'登录失败,用户`{}`不存在'.format(username)) return self.write_json(err)
return self.write_json(err)
elif err == TPE_PRIVILEGE:
return self.write_json(err, '尚未分配角色,请联系管理员')
# 判断此用户是否被允许使用当前登录认证方式 # 判断此用户是否被允许使用当前登录认证方式
auth_type = user_info.auth_type auth_type = user_info.auth_type