mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
commit
3e94b09d3b
1 changed files with 12 additions and 29 deletions
39
helpers.lua
39
helpers.lua
|
@ -598,26 +598,20 @@ function ensure_user_password_uses_strong_hash(ldap, user, password)
|
|||
end
|
||||
|
||||
-- Read result of a command after given it securely the password
|
||||
function secure_cmd_password(cmd, password)
|
||||
function secure_cmd_password(cmd, password, start)
|
||||
-- Check password validity
|
||||
math.randomseed( os.time() )
|
||||
local tmp_file = "/tmp/ssowat_"..math.random()
|
||||
local w_pwd = io.popen(string.format(cmd, tmp_file), 'w')
|
||||
local w_pwd = io.popen("("..cmd..") tee -a "..tmp_file, 'w')
|
||||
w_pwd:write(password)
|
||||
-- This second write is just to validate the password question
|
||||
-- Do not remove
|
||||
w_pwd:write("")
|
||||
w_pwd:close()
|
||||
local r_pwd = io.open(tmp_file, 'r')
|
||||
local i = 0
|
||||
local text = ""
|
||||
for line in io.lines(tmp_file) do
|
||||
i = i + 1
|
||||
if i > 4 then
|
||||
text = text..line.."\n"
|
||||
end
|
||||
end
|
||||
text = r_pwd:read "*a"
|
||||
r_pwd:close()
|
||||
os.remove(tmp_file)
|
||||
ngx.log(ngx.STDERR, text)
|
||||
return text
|
||||
end
|
||||
|
||||
|
@ -651,19 +645,11 @@ function edit_user()
|
|||
-- and the new password against the confirmation field's content
|
||||
if args.newpassword == args.confirm then
|
||||
-- Check password validity
|
||||
local valid_result = secure_cmd_password("( python /usr/lib/moulinette/yunohost/utils/password.py 2>&1 || echo ::ERROR:: ) | tee -a %s", args.newpassword)
|
||||
-- We remove 4 lines due to a Warning message
|
||||
local i = 0
|
||||
local validation_error = nil
|
||||
local result_msg = nil
|
||||
local result_msg = secure_cmd_password("python /usr/lib/moulinette/yunohost/utils/password.py", args.newpassword)
|
||||
validation_error = true
|
||||
|
||||
for line in string.gmatch(valid_result, "[^\n]+") do
|
||||
if i == 0 then
|
||||
result_msg = line
|
||||
else
|
||||
validation_error = line
|
||||
end
|
||||
i = i + 1
|
||||
if result_msg == 'password_advice' or result_msg == nil or result_msg == "" then
|
||||
validation_error = nil
|
||||
end
|
||||
if validation_error == nil then
|
||||
|
||||
|
@ -883,11 +869,8 @@ end
|
|||
-- hash the user password using sha-512 and using {CRYPT} to uses linux auth system
|
||||
-- because ldap doesn't support anything stronger than sha1
|
||||
function hash_password(password)
|
||||
-- TODO is the password checked by regex? we don't want to
|
||||
-- allow shell injection
|
||||
local mkpasswd = io.popen("mkpasswd --method=sha-512 '" ..password:gsub("'", "'\\''").."'")
|
||||
local hashed_password = "{CRYPT}"..mkpasswd:read()
|
||||
mkpasswd:close()
|
||||
local hashed_password = secure_cmd_password("mkpasswd --method=sha-512", password)
|
||||
hashed_password = "{CRYPT}"..hashed_password
|
||||
return hashed_password
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in a new issue