Truncate password to 55 bytes

2019-05-27 09:06:32 -05:00 · 2019-05-27 09:06:32 -05:00 · f820706e4f
parent 29e9e0f2cc
commit f820706e4f
1 changed files with 14 additions and 12 deletions
--- a/src/invidious.cr
+++ b/src/invidious.cr
@ -1073,7 +1073,7 @@ post "/login" do |env|
        next templated "error"
      end

-      if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password
+      if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password.byte_slice(0, 55)
        sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
        PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now)

@ -1107,6 +1107,19 @@ post "/login" do |env|
        next templated "error"
      end

+      if password.empty?
+        error_message = translate(locale, "Password cannot be empty")
+        next templated "error"
+      end
+
+      # See https://security.stackexchange.com/a/39851
+      if password.bytesize > 55
+        error_message = translate(locale, "Password should not be longer than 55 characters")
+        next templated "error"
+      end
+
+      password = password.byte_slice(0, 55)
+
      if config.captcha_enabled
        captcha_type = env.params.body["captcha_type"]?
        answer = env.params.body["answer"]?
@ -1168,17 +1181,6 @@ post "/login" do |env|
        end
      end

-      if password.empty?
-        error_message = translate(locale, "Password cannot be empty")
-        next templated "error"
-      end
-
-      # See https://security.stackexchange.com/a/39851
-      if password.size > 55
-        error_message = translate(locale, "Password cannot be longer than 55 characters")
-        next templated "error"
-      end
-
      sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
      user, sid = create_user(sid, email, password)
      user_array = user.to_a