From 81a8e5a184acf81ff6d18c3e8c0fef59d92fbd05 Mon Sep 17 00:00:00 2001
From: Luke Shumaker <lukeshu@sbcglobal.net>
Date: Sat, 18 Jun 2016 02:04:57 -0400
Subject: Write a mutable String class to avoid memory usage issues. Safer
 logging.

As for logging, filter the password from more types of requests.
---
 proto/server/func_handlerequest.go.sh | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

(limited to 'proto/server')

diff --git a/proto/server/func_handlerequest.go.sh b/proto/server/func_handlerequest.go.sh
index d6160e9..cb2856a 100755
--- a/proto/server/func_handlerequest.go.sh
+++ b/proto/server/func_handlerequest.go.sh
@@ -32,6 +32,8 @@ import (
 	s "syscall"
 )
 
+var sensitive = p.String("<omitted-from-log>")
+
 // Handle a request to nslcd
 func HandleRequest(backend Backend, in io.Reader, out io.Writer, cred s.Ucred) (err error) {
 	err = nil
@@ -67,13 +69,29 @@ while read -r request; do
 		var req p.Request_${request}
 		p.Read(in, &req)
 		$(
-		if [[ $request == PAM_Authentication ]]; then
-			echo '_req := req'
-			echo '_req.Password = "<omitted-from-log>"'
-			echo 'fmt.Fprintf(os.Stderr, "Request: %#v\n", _req)'
-		else
-			echo 'fmt.Fprintf(os.Stderr, "Request: %#v\n", req)'
-		fi
+		case "$request" in
+			PAM_Authentication)
+				echo '_req := req'
+				echo '_req.Password = sensitive'
+				echo 'fmt.Fprintf(os.Stderr, "Request: %#v\n", _req)'
+				;;
+			PAM_PwMod)
+				echo '_req := req'
+				echo 'if len(_req.OldPassword) > 0 {'
+				echo '	_req.OldPassword = sensitive'
+				echo '}'
+				echo '_req.NewPassword = sensitive'
+				echo 'fmt.Fprintf(os.Stderr, "Request: %#v\n", _req)'
+				;;
+			PAM_UserMod)
+				echo '_req := req'
+				echo '_req.Password = sensitive'
+				echo 'fmt.Fprintf(os.Stderr, "Request: %#v\n", _req)'
+				;;
+			*)
+				echo 'fmt.Fprintf(os.Stderr, "Request: %#v\n", req)'
+				;;
+		esac
 		)
 		_ch := backend.${request}(cred, req)
 		go func() {
-- 
cgit v1.2.3-2-g168b