mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-21 16:06:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26

webaccess: Be extra paranoid about nullish password

Browse source 
If `settings.json` contains a user without a `password` property then
nobody should be able to log in as that user using the built-in HTTP
basic authentication. This is true both with and without this change,
but before this change it wasn't immediately obvious that a malicious
user couldn't use an empty or null password to log in as such a user.
This commit adds an explicit nullish check and some unit tests to
ensure that an empty or null password will not work if the `password`
property is null or undefined.
This commit is contained in:
Richard Hansen 2020-10-28 17:38:46 -04:00 committed by John McLear
parent 98de2b0899
commit 6408d2313c
2 changed files with 19 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/node/hooks/express/webaccess.js
View file

@ -153,8 +153,8 @@ exports.checkAccess = (req, res, next) => {
hooks.aCallFirst('authenticate', ctx, hookResultMangle((ok) => {
if (!ok) {
// Fall back to HTTP basic auth.
if (!httpBasicAuth || !(ctx.username in settings.users) ||
settings.users[ctx.username].password !== ctx.password) {
const {[ctx.username]: {password} = {}} = settings.users;
if (!httpBasicAuth || password == null || password !== ctx.password) {
httpLogger.info(`Failed authentication from IP ${req.ip}`);
return hooks.aCallFirst('authnFailure', {req, res}, hookResultMangle((ok) => {
if (ok) return;