From 5e0f63eab488ef6430bfa6bd92f050baf93cc175 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Thu, 7 Mar 2019 15:45:48 +0100
Subject: [PATCH] Reject app password if they contains { or }

---
 locales/en.json     | 1 +
 src/yunohost/app.py | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/locales/en.json b/locales/en.json
index f7a65a883..a70da7b82 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -380,6 +380,7 @@
     "pattern_port_or_range": "Must be a valid port number (i.e. 0-65535) or range of ports (e.g. 100:200)",
     "pattern_positive_number": "Must be a positive number",
     "pattern_username": "Must be lower-case alphanumeric and underscore characters only",
+    "pattern_password_app": "Sorry, passwords should not contain the following characters: {forbidden_chars}",
     "port_already_closed": "Port {port:d} is already closed for {ip_version:s} connections",
     "port_already_opened": "Port {port:d} is already opened for {ip_version:s} connections",
     "port_available": "Port {port:d} is available",
diff --git a/src/yunohost/app.py b/src/yunohost/app.py
index be0bb5a55..fa05ebe47 100644
--- a/src/yunohost/app.py
+++ b/src/yunohost/app.py
@@ -2287,6 +2287,9 @@ def _parse_action_args_in_yunohost_format(args, action_args, auth=None):
                 else:
                     raise YunohostError('app_argument_choice_invalid', name=arg_name, choices='yes, no, y, n, 1, 0')
         elif arg_type == 'password':
+            forbidden_chars = "{}"
+            if any(char in arg_value for char in forbidden_chars):
+                raise YunohostError('pattern_password_app', forbidden_chars=forbidden_chars)
             from yunohost.utils.password import assert_password_is_strong_enough
             assert_password_is_strong_enough('user', arg_value)
         args_dict[arg_name] = arg_value