aherman
/
proxysql
mirror of https://github.com/sysown/proxysql
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5348 from orbisai0security/fix-strtok-security-vulnerability-scram

Browse Source 
[Security] Fix HIGH vulnerability: c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn
pull/5350/head
René Cannaò 3 months ago committed by GitHub
parent a360dc22ae c29c77feff
commit 933168ee28
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File

11
deps/libscram/src/scram.c vendored
Unescape View File

@ -271,15 +271,16 @@ static bool parse_scram_secret(const char *secret, int *iterations, char **salt,
s = strdup(secret);
if (!s)
goto invalid_secret;
if ((scheme_str = strtok(s, "$")) == NULL)
char *saveptr;
if ((scheme_str = strtok_r(s, "$", &saveptr)) == NULL)
goto invalid_secret;
if ((iterations_str = strtok(NULL, ":")) == NULL)
if ((iterations_str = strtok_r(NULL, ":", &saveptr)) == NULL)
goto invalid_secret;
if ((salt_str = strtok(NULL, "$")) == NULL)
if ((salt_str = strtok_r(NULL, "$", &saveptr)) == NULL)
goto invalid_secret;
if ((storedkey_str = strtok(NULL, ":")) == NULL)
if ((storedkey_str = strtok_r(NULL, ":", &saveptr)) == NULL)
goto invalid_secret;
if ((serverkey_str = strtok(NULL, "")) == NULL)
if ((serverkey_str = strtok_r(NULL, "", &saveptr)) == NULL)
goto invalid_secret;
/* Parse the fields */

Write Preview
Loading…
Cancel
Save