YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

[fix] Regex todo

Browse source
This commit is contained in:
ljf 2018-08-29 00:47:59 +02:00
parent 95e1c1cd2f
commit 945b04cc67
1 changed files with 10 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
helpers.lua
View file

@ -598,7 +598,7 @@ function ensure_user_password_uses_strong_hash(ldap, user, password)
end end
-- Read result of a command after given it securely the password -- Read result of a command after given it securely the password
function secure_cmd_password(cmd, password) function secure_cmd_password(cmd, password, start)
-- Check password validity -- Check password validity
math.randomseed( os.time() ) math.randomseed( os.time() )
local tmp_file = "/tmp/ssowat_"..math.random() local tmp_file = "/tmp/ssowat_"..math.random()
@ -611,10 +611,13 @@ function secure_cmd_password(cmd, password)
local text = "" local text = ""
for line in io.lines(tmp_file) do for line in io.lines(tmp_file) do
i = i + 1 i = i + 1
if i > 4 then if i > start then
text = text..line.."\n" text = text..line.."\n"
end end
end end
if i > start then
text = text:sub(1, -2)
end
r_pwd:close() r_pwd:close()
os.remove(tmp_file) os.remove(tmp_file)
ngx.log(ngx.STDERR, text) ngx.log(ngx.STDERR, text)
@ -651,7 +654,7 @@ function edit_user()
-- and the new password against the confirmation field's content -- and the new password against the confirmation field's content
if args.newpassword == args.confirm then if args.newpassword == args.confirm then
-- Check password validity -- Check password validity
local valid_result = secure_cmd_password("( python /usr/lib/moulinette/yunohost/utils/password.py 2>&1 || echo ::ERROR:: ) | tee -a %s", args.newpassword) local valid_result = secure_cmd_password("( python /usr/lib/moulinette/yunohost/utils/password.py 2>&1 || echo ::ERROR:: ) | tee -a %s", args.newpassword, 4)
-- We remove 4 lines due to a Warning message -- We remove 4 lines due to a Warning message
local i = 0 local i = 0
local validation_error = nil local validation_error = nil
@ -883,11 +886,9 @@ end
-- hash the user password using sha-512 and using {CRYPT} to uses linux auth system -- hash the user password using sha-512 and using {CRYPT} to uses linux auth system
-- because ldap doesn't support anything stronger than sha1 -- because ldap doesn't support anything stronger than sha1
function hash_password(password) function hash_password(password)
-- TODO is the password checked by regex? we don't want to local hashed_password = secure_cmd_password("mkpasswd --method=sha-512 | tee -a %s", password, 0)
-- allow shell injection ngx.log(ngx.STDERR, hashed_password)
local mkpasswd = io.popen("mkpasswd --method=sha-512 '" ..password:gsub("'", "'\\''").."'") hashed_password = "{CRYPT}"..hashed_password
local hashed_password = "{CRYPT}"..mkpasswd:read()
mkpasswd:close()
return hashed_password return hashed_password
end end
@ -901,7 +902,7 @@ function login()
local uri_args = ngx.req.get_uri_args() local uri_args = ngx.req.get_uri_args()
args.user = string.lower(args.user) args.user = string.lower(args.user)
local user = authenticate(args.user, args.password) local user = authenticate(args.user, args.password)
if user then if user then
ngx.status = ngx.HTTP_CREATED ngx.status = ngx.HTTP_CREATED