diff options
author | Talle <talle-github@gelesneeuw.nl> | 2015-12-04 11:52:47 +0100 |
---|---|---|
committer | Talle <talle-github@gelesneeuw.nl> | 2015-12-04 11:52:47 +0100 |
commit | 5319cf409c37343c7553a14c9636cb31862cb245 (patch) | |
tree | e8514f3b5dca44794df04ad25d1cd1a464160703 /src/etc | |
parent | bc03c2e06dd8a7cbadb05566c7cea03495fc3bbb (diff) | |
download | pfsense-5319cf409c37343c7553a14c9636cb31862cb245.zip pfsense-5319cf409c37343c7553a14c9636cb31862cb245.tar.gz |
Change comparison of username to certificate common name to be safer and case insensitive
Currently the username is compared against the common name using a standard PHP comparison,
this is unsafe because it might do unintended type conversions. So change the != comparison to
an !== comparison to make sure the types match.
Since usernames on Windows sytstems are not case-sensitive and prone to case differences in
user input or auto filled fields we should allow case differences between the username and the
certificate common name.
Diffstat (limited to 'src/etc')
-rw-r--r-- | src/etc/inc/openvpn.auth-user.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/etc/inc/openvpn.auth-user.php b/src/etc/inc/openvpn.auth-user.php index f994eb7..d258135 100644 --- a/src/etc/inc/openvpn.auth-user.php +++ b/src/etc/inc/openvpn.auth-user.php @@ -117,7 +117,7 @@ if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) { $authenticated = false; -if (($strictusercn === true) && ($common_name != $username)) { +if (($strictusercn === true) && (mb_strtolower($common_name) !== mb_strtolower($username))) { syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n"); if (isset($_GET['username'])) { echo "FAILED"; |