Merge pull request #105 from YunoHost/fix-regex-todo

Fix regex todo
2024-09-03 20:06:27 +02:00 · 2018-08-29 01:27:32 +02:00 · 2018-08-29 01:27:32 +02:00 · 3e94b09d3b
commit 3e94b09d3b
parent 95e1c1cd2f 7627101eb5
1 changed files with 12 additions and 29 deletions
--- a/helpers.lua
+++ b/helpers.lua
@ -598,26 +598,20 @@ function ensure_user_password_uses_strong_hash(ldap, user, password)
 end

 -- Read result of a command after given it securely the password
-function secure_cmd_password(cmd, password)
+function secure_cmd_password(cmd, password, start)
    -- Check password validity
    math.randomseed( os.time() )
    local tmp_file = "/tmp/ssowat_"..math.random()
-    local w_pwd = io.popen(string.format(cmd, tmp_file), 'w')
+    local w_pwd = io.popen("("..cmd..") tee -a "..tmp_file, 'w')
    w_pwd:write(password)
+    -- This second write is just to validate the password question
+    -- Do not remove
    w_pwd:write("")
    w_pwd:close()
    local r_pwd = io.open(tmp_file, 'r')
-    local i = 0
-    local text = ""
-    for line in io.lines(tmp_file) do
-        i = i + 1
-        if i > 4 then
-            text = text..line.."\n"
-        end
-    end
+    text = r_pwd:read "*a"
    r_pwd:close()
    os.remove(tmp_file)
-    ngx.log(ngx.STDERR, text)
    return text
 end

@ -651,19 +645,11 @@ function edit_user()
                -- and the new password against the confirmation field's content
                if args.newpassword == args.confirm then
                    -- Check password validity
-                    local valid_result = secure_cmd_password("( python /usr/lib/moulinette/yunohost/utils/password.py 2>&1 || echo ::ERROR:: ) | tee -a %s", args.newpassword)
-                    -- We remove 4 lines due to a Warning message
-                    local i = 0
-                    local validation_error = nil
-                    local result_msg = nil
+                    local result_msg = secure_cmd_password("python /usr/lib/moulinette/yunohost/utils/password.py", args.newpassword)
+                    validation_error = true

-                    for line in string.gmatch(valid_result, "[^\n]+") do
-                        if i == 0 then 
-                            result_msg = line 
-                        else
-                            validation_error = line
-                        end
-                        i = i + 1
+                    if result_msg == 'password_advice' or result_msg == nil or result_msg == "" then
+                        validation_error = nil
                    end
                    if validation_error == nil then

@ -883,11 +869,8 @@ end
 -- hash the user password using sha-512 and using {CRYPT} to uses linux auth system
 -- because ldap doesn't support anything stronger than sha1
 function hash_password(password)
-    -- TODO is the password checked by regex? we don't want to
-    -- allow shell injection
-    local mkpasswd  = io.popen("mkpasswd --method=sha-512 '" ..password:gsub("'", "'\\''").."'")
-    local hashed_password = "{CRYPT}"..mkpasswd:read()
-    mkpasswd:close()
+    local hashed_password = secure_cmd_password("mkpasswd --method=sha-512", password)
+    hashed_password = "{CRYPT}"..hashed_password
    return hashed_password
 end

@ -901,7 +884,7 @@ function login()
    local uri_args = ngx.req.get_uri_args()

    args.user = string.lower(args.user)
-
+    
    local user = authenticate(args.user, args.password)
    if user then
        ngx.status = ngx.HTTP_CREATED