From 489b9a601d868054c6f1812a083e2e93830edc74 Mon Sep 17 00:00:00 2001 From: Basraah Date: Fri, 10 Feb 2017 13:30:57 +1000 Subject: [PATCH] Implement Openfire username escaping (#703) * Fix openfire username sanitize function * Use escaping instead of stripping characters --- services/modules/openfire/manager.py | 33 +++++++++++++++++++++++----- services/modules/openfire/tests.py | 7 ++++++ 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/services/modules/openfire/manager.py b/services/modules/openfire/manager.py index 257907b7..672d57f7 100755 --- a/services/modules/openfire/manager.py +++ b/services/modules/openfire/manager.py @@ -37,9 +37,30 @@ class OpenfireManager: return completed_username @staticmethod - def __santatize_username(username): - sanatized = username.replace(" ", "_") - return sanatized.lower() + def __sanitize_username(username): + # https://xmpp.org/extensions/xep-0106.html#escaping + replace = [ + ("\\", "\\5c"), # Escape backslashes first to double escape existing escape sequences + ("\"", "\\22"), + ("&", "\\26"), + ("'", "\\27"), + ("/", "\\2f"), + (":", "\\3a"), + ("<", "\\3c"), + (">", "\\3e"), + ("@", "\\40"), + ("\u007F", ""), + ("\uFFFE", ""), + ("\uFFFF", ""), + (" ", "\\20"), + ] + + sanitized = username.strip(' ') + + for find, rep in replace: + sanitized = sanitized.replace(find, rep) + + return sanitized @staticmethod def __generate_random_pass(): @@ -54,17 +75,17 @@ class OpenfireManager: def add_user(username): logger.debug("Adding username %s to openfire." % username) try: - sanatized_username = OpenfireManager.__santatize_username(username) + sanitized_username = OpenfireManager.__sanitize_username(username) password = OpenfireManager.__generate_random_pass() api = ofUsers(settings.OPENFIRE_ADDRESS, settings.OPENFIRE_SECRET_KEY) - api.add_user(sanatized_username, password) + api.add_user(sanitized_username, password) logger.info("Added openfire user %s" % username) except exception.UserAlreadyExistsException: # User exist logger.error("Attempting to add a user %s to openfire which already exists on server." % username) return "", "" - return sanatized_username, password + return sanitized_username, password @staticmethod def delete_user(username): diff --git a/services/modules/openfire/tests.py b/services/modules/openfire/tests.py index 5257f7cc..c6ce71f6 100644 --- a/services/modules/openfire/tests.py +++ b/services/modules/openfire/tests.py @@ -205,3 +205,10 @@ class OpenfireManagerTestCase(TestCase): self.assertEqual(len(password), 16) self.assertIsInstance(password, type('')) + + def test__sanitize_username(self): + test_username = " My_Test User\"'&/:<>@name\\20name" + + result_username = self.manager._OpenfireManager__sanitize_username(test_username) + + self.assertEqual(result_username, 'My_Test\\20User\\22\\27\\26\\2f\\3a\\3c\\3e\\40name\\5c20name')