Truncate password to 55 bytes

This commit is contained in:
Omar Roth 2019-05-27 09:06:32 -05:00
parent 29e9e0f2cc
commit f820706e4f
No known key found for this signature in database
GPG Key ID: B8254FB7EC3D37F2
1 changed files with 14 additions and 12 deletions

View File

@ -1073,7 +1073,7 @@ post "/login" do |env|
next templated "error" next templated "error"
end end
if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password.byte_slice(0, 55)
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now) PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now)
@ -1107,6 +1107,19 @@ post "/login" do |env|
next templated "error" next templated "error"
end end
if password.empty?
error_message = translate(locale, "Password cannot be empty")
next templated "error"
end
# See https://security.stackexchange.com/a/39851
if password.bytesize > 55
error_message = translate(locale, "Password should not be longer than 55 characters")
next templated "error"
end
password = password.byte_slice(0, 55)
if config.captcha_enabled if config.captcha_enabled
captcha_type = env.params.body["captcha_type"]? captcha_type = env.params.body["captcha_type"]?
answer = env.params.body["answer"]? answer = env.params.body["answer"]?
@ -1168,17 +1181,6 @@ post "/login" do |env|
end end
end end
if password.empty?
error_message = translate(locale, "Password cannot be empty")
next templated "error"
end
# See https://security.stackexchange.com/a/39851
if password.size > 55
error_message = translate(locale, "Password cannot be longer than 55 characters")
next templated "error"
end
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
user, sid = create_user(sid, email, password) user, sid = create_user(sid, email, password)
user_array = user.to_a user_array = user.to_a