mirror of
https://github.com/ether/etherpad-lite.git
synced 2025-05-05 06:37:10 -04:00
Merge 1603c2f5dd into 18ac89e374
This commit is contained in:
GitHub Merge Button
commit
dca621bb36
3 changed files with 39 additions and 14 deletions
|
|
@ -496,9 +496,13 @@ Class('Pad', {
|
|||
this.passwordHash = password == null ? null : hash(password, generateSalt());
|
||||
db.setSub("pad:"+this.id, ["passwordHash"], this.passwordHash);
|
||||
},
|
||||
getPasswordSalt: function()
|
||||
{
|
||||
return this.passwordHash.split("$")[1];
|
||||
},
|
||||
isCorrectPassword: function(password)
|
||||
{
|
||||
return compare(this.passwordHash, password)
|
||||
return timeSensitiveCompare(this.passwordHash, password)
|
||||
},
|
||||
isPasswordProtected: function()
|
||||
{
|
||||
|
|
@ -519,17 +523,21 @@ function hash(password, salt)
|
|||
function generateSalt()
|
||||
{
|
||||
var len = 86;
|
||||
var chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./";
|
||||
var charset = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./";
|
||||
var randomstring = '';
|
||||
for (var i = 0; i < len; i++)
|
||||
{
|
||||
var rnum = Math.floor(Math.random() * chars.length);
|
||||
randomstring += chars.substring(rnum, rnum + 1);
|
||||
var rnum = Math.floor(Math.random() * charset.length);
|
||||
randomstring += charset[rnum];
|
||||
}
|
||||
return randomstring;
|
||||
}
|
||||
|
||||
function compare(hashStr, password)
|
||||
/* Compare the timed password hash with the saved value.
|
||||
* If the hash was generated too far in the past, it is rejected. */
|
||||
function timeSensitiveCompare(hashStr, password)
|
||||
{
|
||||
return hash(password, hashStr.split("$")[1]) === hashStr;
|
||||
var timestamp = password.split("$")[1];
|
||||
return password === hash(hashStr, timestamp)
|
||||
&& timestamp > new Date().getTime();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -91,6 +91,7 @@ exports.checkAccess = function (padID, sessionID, token, password, callback)
|
|||
var groupID = padID.split("$")[0];
|
||||
var padExists = false;
|
||||
var validSession = false;
|
||||
var pwsalt;
|
||||
var sessionAuthor;
|
||||
var tokenAuthor;
|
||||
var isPublic;
|
||||
|
|
@ -171,6 +172,9 @@ exports.checkAccess = function (padID, sessionID, token, password, callback)
|
|||
|
||||
//is it password protected?
|
||||
isPasswordProtected = pad.isPasswordProtected();
|
||||
|
||||
//get the password salt used by the hash function
|
||||
pwsalt = pad.getPasswordSalt();
|
||||
|
||||
//is password correct?
|
||||
if(isPasswordProtected && password && pad.isCorrectPassword(password))
|
||||
|
|
@ -202,13 +206,14 @@ exports.checkAccess = function (padID, sessionID, token, password, callback)
|
|||
else if(isPasswordProtected && passwordStatus == "wrong")
|
||||
{
|
||||
//--> deny access, ask for new password and tell them that the password is wrong
|
||||
statusObject = {accessStatus: "wrongPassword"};
|
||||
//The salt can be safely shared since it is not secret. It does its job (improving resistence against rainbow table attacks) even when public.
|
||||
statusObject = {accessStatus: "wrongPassword", passwordSalt: pwsalt};
|
||||
}
|
||||
//- the pad is password protected but no password given
|
||||
else if(isPasswordProtected && passwordStatus == "notGiven")
|
||||
{
|
||||
//--> ask for password
|
||||
statusObject = {accessStatus: "needPassword"};
|
||||
statusObject = {accessStatus: "needPassword", passwordSalt: pwsalt};
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue