From 3ecdb97bf6fbbd5eacf0176cf337d4b2b54f8112 Mon Sep 17 00:00:00 2001
From: YunoHost Bot <yunohost-bot@users.noreply.github.com>
Date: Mon, 7 Aug 2017 18:24:55 +0200
Subject: [PATCH 1/8] Update from Weblate. (#85)

* Added translation using Weblate (Russian)
* [i18n] Translated using Weblate (Russian)
Currently translated at 12.1% (5 of 41 strings)
---
 portal/locales/ru.json | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 portal/locales/ru.json

diff --git a/portal/locales/ru.json b/portal/locales/ru.json
new file mode 100644
index 0000000..457d982
--- /dev/null
+++ b/portal/locales/ru.json
@@ -0,0 +1,7 @@
+{
+    "portal": "YunoHost Портал",
+    "information": "Ваша информация",
+    "username": "Имя пользователя",
+    "password": "Пароль",
+    "fullname": "Полное имя"
+}

From 044aa1d8eba51c74f16a9fc184666308dcab6daa Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Mon, 7 Aug 2017 12:59:52 -0400
Subject: [PATCH 2/8] Update changelog for 2.7.0 release

---
 debian/changelog | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 57d2a99..136b90d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+ssowat (2.7.0) testing; urgency=low
+
+  * [mod] comment didn't matched reality
+  * [i18n] Started russian translation (#85)
+
+Thanks to all contributors (Bram, Ozhiganov) ! <3
+
+  [ Alexandre Aubin ]
+
+ -- Alexandre Aubin <alex.aubin@mailoo.org>  Mon, 07 Aug 2017 12:58:39 -0400
+
 ssowat (2.6.8) testing; urgency=low
 
   [ Laurent Peuch ]

From 47f01b3f6f014d919764ddae59710c8ec63c0b3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@chilliet.eu>
Date: Thu, 10 Aug 2017 16:31:00 +0200
Subject: [PATCH 3/8] Fixed support for incomplete translations (fallback to
 default language for missing strings)

---
 helpers.lua | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/helpers.lua b/helpers.lua
index e8a7787..64e690d 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -30,7 +30,7 @@ end
 
 -- Get the index of a value in a table
 function index_of(t,val)
-    for k,v in ipairs(t) do 
+    for k,v in ipairs(t) do
         if v == val then return k end
     end
 end
@@ -50,8 +50,8 @@ end
 
 -- Find a string by its translate key in the right language
 function t(key)
-   if conf.lang and i18n[conf.lang] then
-       return i18n[conf.lang][key] or ""
+   if conf.lang and i18n[conf.lang] and i18n[conf.lang][key] then
+       return i18n[conf.lang][key]
    else
        return i18n[conf["default_language"]][key] or ""
    end
@@ -147,7 +147,7 @@ function set_auth_cookie(user, domain)
                        "; Path=/"..
                        "; Expires="..os.date("%a, %d %b %Y %X UTC;", expire)..
                        "; Secure"
-    
+
     ngx.header["Set-Cookie"] = {
         "SSOwAuthUser="..user..cookie_str,
         "SSOwAuthHash="..hash..cookie_str,
@@ -556,13 +556,8 @@ function get_data_for(view)
     end
 
     -- Pass all the translated strings to the view (to use with t_<key>)
-    if conf.lang and i18n[conf.lang] then
-        translate_table = i18n[conf.lang]
-    else
-        translate_table = i18n[conf["default_language"]]
-    end
-    for k, v in pairs(translate_table) do
-        data["t_"..k] = v
+    for k, v in pairs(i18n[conf["default_language"]]) do
+        data["t_"..k] = i18n[conf.lang][k] or v
     end
 
     -- Pass flash notification content

From 2ff2fb92f36958b6c0b2da50de3f9b7e6d7db93f Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Tue, 15 Aug 2017 01:30:39 +0200
Subject: [PATCH 4/8] [enh] encode password using sha512 on user modification
 of password

---
 helpers.lua | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/helpers.lua b/helpers.lua
index e8a7787..b0a79dd 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -607,7 +607,8 @@ function edit_user()
 
                     -- Open the LDAP connection
                     local ldap = lualdap.open_simple(conf["ldap_host"], dn, args.currentpassword)
-                    local password = "{SHA}"..ngx.encode_base64(ngx.sha1_bin(args.newpassword))
+
+                    local password = hash_password(args.newpassword)
 
                     -- Modify the LDAP information
                     if ldap:modify(dn, {'=', userPassword = password }) then
@@ -808,6 +809,16 @@ function edit_user()
     end
 end
 
+-- hash the user password using sha-512 and using {CRYPT} to uses linux auth system
+-- because ldap doesn't support anything stronger than sha1
+function hash_password(password)
+    -- TODO is the password checked by regex? we don't want to
+    -- allow shell injection
+    local mkpasswd  = io.popen("mkpasswd --method=sha-512 '" ..password.."'")
+    local hashed_password = "{CRYPT}"..mkpasswd:read()
+    mkpasswd:close()
+    return hashed_password
+end
 
 -- Compute the user login POST request
 -- It authenticates the user against the LDAP base then redirects to the portal

From d16f3f81d0daaaafc166f2516975b07313ed7410 Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Tue, 15 Aug 2017 11:41:24 +0200
Subject: [PATCH 5/8] [enh] auto rehash in sha-512 users passwords on login

---
 helpers.lua | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/helpers.lua b/helpers.lua
index b0a79dd..ba36cfb 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -293,6 +293,7 @@ function authenticate(user, password)
     -- cache shared table in order to eventually reuse it later when updating
     -- profile information or just passing credentials to an application.
     if connected then
+        ensure_user_password_uses_strong_hash(connected, user, password)
         cache:add(user.."-password", password, conf["session_timeout"])
         ngx.log(ngx.NOTICE, "Connected as: "..user)
         return user
@@ -573,6 +574,33 @@ function get_data_for(view)
     return data
 end
 
+-- this function is launched after a successful login
+-- it checked if the user password is stored using the most secure hashing
+-- algorithm available
+-- if it's not the case, it migrates the password to this new hash algorithm
+function ensure_user_password_uses_strong_hash(ldap, user, password)
+    local current_hashed_password = nil
+
+    for dn, attrs in ldap:search {
+        base = "ou=users,dc=yunohost,dc=org",
+        scope = "onelevel",
+        sizelimit = 1,
+        filter = "(uid="..user..")",
+        attrs = {"userPassword"}
+    } do
+        current_hashed_password = attrs["userPassword"]:sub(0, 10)
+    end
+
+    -- if the password is not hashed using sha-512, which is the strongest
+    -- available hash rehash it using that
+    -- Here "{CRYPT}" means "uses linux auth system"
+    -- "6" means "uses sha-512", any lower number mean a less strong algo (1 == md5)
+    if current_hashed_password:sub(0, 10) ~= "{CRYPT}$6$" then
+        local dn = conf["ldap_identifier"].."="..user..","..conf["ldap_group"]
+        local hashed_password = hash_password(password)
+        ldap:modify(dn, {'=', userPassword = hashed_password })
+    end
+end
 
 -- Compute the user modification POST request
 -- It has to update cached information and edit the LDAP user entry

From c8c7fe7fc79cf010eaeeddfe782f00200557f7f7 Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Fri, 18 Aug 2017 02:34:46 +0200
Subject: [PATCH 6/8] [fix] prevent shell injections

---
 helpers.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helpers.lua b/helpers.lua
index ba36cfb..4ced5f4 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -842,7 +842,7 @@ end
 function hash_password(password)
     -- TODO is the password checked by regex? we don't want to
     -- allow shell injection
-    local mkpasswd  = io.popen("mkpasswd --method=sha-512 '" ..password.."'")
+    local mkpasswd  = io.popen("mkpasswd --method=sha-512 '" ..password:gsub("'", "'\\''").."'")
     local hashed_password = "{CRYPT}"..mkpasswd:read()
     mkpasswd:close()
     return hashed_password

From d440d06ae7cf824a507856a4377181c6f88733b3 Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Fri, 18 Aug 2017 02:35:08 +0200
Subject: [PATCH 7/8] [fix] be paranoid and prevent shell injections here also
 while input is supposed to be safe

---
 helpers.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helpers.lua b/helpers.lua
index 4ced5f4..7c557c2 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -81,7 +81,7 @@ function hmac_sha512(key, message)
         -- this is really dirty and probably leak the key and the message in the process list
         -- but if someone got there I guess we really have other problems so this is acceptable
         -- and also this is way better than the previous situation
-        local pipe = io.popen("echo -n '" ..message.. "' | openssl sha512 -hmac '" ..key.. "'")
+        local pipe = io.popen("echo -n '" ..message:gsub("'", "'\\''").. "' | openssl sha512 -hmac '" ..key:gsub("'", "'\\''").. "'")
 
         -- openssl returns something like this:
         -- root@yunohost:~# echo -n "qsd" | openssl sha512 -hmac "key"

From 9b7fee7a1b2a205486210d95edc0bf78830cb3dd Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Sat, 19 Aug 2017 04:39:51 +0200
Subject: [PATCH 8/8] [fix] attempt to fix
 https://github.com/YunoHost/SSOwat/pull/86#issuecomment-323417926

---
 helpers.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helpers.lua b/helpers.lua
index 0bc68f1..ea7f67b 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -558,7 +558,7 @@ function get_data_for(view)
 
     -- Pass all the translated strings to the view (to use with t_<key>)
     for k, v in pairs(i18n[conf["default_language"]]) do
-        data["t_"..k] = i18n[conf.lang][k] or v
+        data["t_"..k] = (i18n[conf.lang] and i18n[conf.lang][k]) or v
     end
 
     -- Pass flash notification content