Check if the user name contains any illegal characters.

Verify that the user name whose store will be used to remove and query
aliases does not contain any illegal and path traversal characters
(backward and forward slashes).

diff --git a/open-vm-tools/vgauth/common/usercheck.c b/open-vm-tools/vgauth/common/usercheck.c
index 3beede2e8a1048c977a764f38cb40ea9377a9fa0..2b4e424da45d8b4f35bd4ec4bd1180d612758a1f 100644 (file)
--- a/open-vm-tools/vgauth/common/usercheck.c
+++ b/open-vm-tools/vgauth/common/usercheck.c
@@ -1,5 +1,6 @@
 /*********************************************************
- * Copyright (C) 2011-2016,2019,2023 VMware, Inc. All rights reserved.
+ * Copyright (c) 2011-2025 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -78,6 +79,8 @@
  * Solaris as well, but that path is untested.
  */
 
+#define MAX_USER_NAME_LEN 256
+
 /*
  * A single retry works for the LDAP case, but try more often in case NIS
  * or something else has a related issue.  Note that a bad username/uid won't
@@ -354,12 +357,29 @@ Usercheck_UsernameIsLegal(const gchar *userName)
     * restricted list for local usernames.
     */
    size_t len;
-   char *illegalChars = "<>/";
+   size_t i = 0;
+   int backSlashCnt = 0;
+   /*
+    * As user names are used to generate its alias store file name/path, it
+    * should not contain path traversal characters ('/' and '\').
+    */
+   char *illegalChars = "<>/\\";
 
    len = strlen(userName);
-   if (strcspn(userName, illegalChars) != len) {
+   if (len > MAX_USER_NAME_LEN) {
       return FALSE;
    }
+
+   while ((i += strcspn(userName + i, illegalChars)) < len) {
+      /*
+       * One backward slash is allowed for domain\username separator.
+       */
+      if (userName[i] != '\\' || ++backSlashCnt > 1) {
+         return FALSE;
+      }
+      ++i;
+   }
+
    return TRUE;
 }
 

diff --git a/open-vm-tools/vgauth/serviceImpl/alias.c b/open-vm-tools/vgauth/serviceImpl/alias.c
index 4e170202c100fbfc9d95a4ca6bdbfccb88c47887..2a371f9ef6a722e32a6dbad48514e91a337d331d 100644 (file)
--- a/open-vm-tools/vgauth/serviceImpl/alias.c
+++ b/open-vm-tools/vgauth/serviceImpl/alias.c
@@ -1,5 +1,6 @@
 /*********************************************************
- * Copyright (c) 2011-2021, 2023 VMware, Inc. All rights reserved.
+ * Copyright (c) 2011-2025 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -2803,8 +2804,13 @@ ServiceAliasRemoveAlias(const gchar *reqUserName,
 
    /*
     * We don't verify the user exists in a Remove operation, to allow
-    * cleanup of deleted user's stores.
+    * cleanup of deleted user's stores, but we do check whether the
+    * user name is legal or not.
     */
+   if (!Usercheck_UsernameIsLegal(userName)) {
+      Warning("%s: Illegal user name '%s'\n", __FUNCTION__, userName);
+      return VGAUTH_E_FAIL;
+   }
 
    if (!CertVerify_IsWellFormedPEMCert(pemCert)) {
       return VGAUTH_E_INVALID_CERTIFICATE;
@@ -3036,6 +3042,16 @@ ServiceAliasQueryAliases(const gchar *userName,
    }
 #endif
 
+   /*
+    * We don't verify the user exists in a Query operation to allow
+    * cleaning up after a deleted user, but we do check whether the
+    * user name is legal or not.
+    */
+   if (!Usercheck_UsernameIsLegal(userName)) {
+      Warning("%s: Illegal user name '%s'\n", __FUNCTION__, userName);
+      return VGAUTH_E_FAIL;
+   }
+
    err = AliasLoadAliases(userName, num, aList);
    if (VGAUTH_E_OK != err) {
       Warning("%s: failed to load Aliases for '%s'\n", __FUNCTION__, userName);