COMMON: protect OAuth parsing from all possible input - fixes EOS-6500

apeters1971 · apeters1971 · commit 71a52f6460ce · 2025-09-19T13:33:33.000+02:00
diff --git a/common/OAuth.cc b/common/OAuth.cc
@@ -284,6 +284,9 @@ OAuth::Handle(const std::string& info, eos::common::VirtualIdentity& vid)
       if (tokens.size() < 5) {
         tokens.push_back("");
       }
+    } else {
+      eos_static_err("msg=\"invalid oauth token provided\" in=\"%s\"", info.c_str());
+      return "";
     }
   } else {
     tokens.resize(5);
@@ -295,6 +298,7 @@ OAuth::Handle(const std::string& info, eos::common::VirtualIdentity& vid)
   }
 
   OAuth::AuthInfo oinfo;
+
   time_t expires = strtoull(tokens[3].c_str(), 0, 10);
 
   if (!Validate(oinfo, tokens[1], tokens[2], tokens[4], expires)) {

Original file line number	Diff line number	Diff line change
`@@ -284,6 +284,9 @@ OAuth::Handle(const std::string& info, eos::common::VirtualIdentity& vid)`
`284`	`284`	`if (tokens.size() < 5) {`
`285`	`285`	`tokens.push_back("");`
`286`	`286`	`}`
	`287`	`+ } else {`
	`288`	`+ eos_static_err("msg=\"invalid oauth token provided\" in=\"%s\"", info.c_str());`
	`289`	`+ return "";`
`287`	`290`	`}`
`288`	`291`	`} else {`
`289`	`292`	`tokens.resize(5);`
`@@ -295,6 +298,7 @@ OAuth::Handle(const std::string& info, eos::common::VirtualIdentity& vid)`
`295`	`298`	`}`
`296`	`299`
`297`	`300`	`OAuth::AuthInfo oinfo;`
	`301`	`+`
`298`	`302`	`time_t expires = strtoull(tokens[3].c_str(), 0, 10);`
`299`	`303`
`300`	`304`	`if (!Validate(oinfo, tokens[1], tokens[2], tokens[4], expires)) {`