From eb9b9c49be60a5306e7e8d7c070f008159da04e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= <misi@majd.eu>
Date: Wed, 7 Nov 2018 10:39:14 +0100
Subject: [PATCH] Add username sanity check, to avoid sql-injection

---
 src/apps/relay/turn_admin_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/apps/relay/turn_admin_server.c b/src/apps/relay/turn_admin_server.c
index 94933db5..00cfb08a 100644
--- a/src/apps/relay/turn_admin_server.c
+++ b/src/apps/relay/turn_admin_server.c
@@ -3295,7 +3295,7 @@ static void handle_logon_request(ioa_socket_handle s, struct http_request* hr)
 			s->special_session_size = sizeof(struct admin_session);
 		}
 
-		if(!(as->as_ok) && uname && pwd) {
+		if(!(as->as_ok) && uname && is_secure_string((const u08bits*)uname) && pwd && is_secure_string((const u08bits*)pwd)) {
 			const turn_dbdriver_t * dbd = get_dbdriver();
 			if (dbd && dbd->get_admin_user) {
 				password_t password;