safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 05:07:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-839: Add sanity checks around parsed PEM data, which may indeed be null.

Browse Source
This commit is contained in:
Michael Jumper
2023-03-08 09:34:52 -08:00
parent 6424b063f2
commit f98901f933
1 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLClientAuthenticationResource.java
View File

@@ -253,7 +253,20 @@ public class SSLClientAuthenticationResource extends SSOResource {
try (Reader reader = new StringReader(new String(certificate, StandardCharsets.UTF_8))) {
PEMParser parser = new PEMParser(reader);
cert = (X509CertificateHolder) parser.readObject();
Object object = parser.readObject();
// Verify received data is indeed an X.509 certificate
if (object == null || !(object instanceof X509CertificateHolder))
throw new GuacamoleClientException("Certificate did not "
+ "contain an X.509 certificate.");
// Verify sanity of received certificate (there should be only
// one object here)
if (parser.readObject() != null)
throw new GuacamoleClientException("Certificate contains "
+ "more than a single X.509 certificate.");
cert = (X509CertificateHolder) object;
// Verify certificate is valid (it should be given pre-validation
// from SSL termination, but it's worth rechecking for sanity)