[Fix] Explicitly ban default passwords in webui

diff --git a/src/controller.c b/src/controller.c
index ed990c898ca82859bc10d46348b1ec66133cf34f..ba6ee75617f142ce4c93d13d7115c4f6a92b3b45 100644 (file)
--- a/src/controller.c
+++ b/src/controller.c
@@ -512,6 +512,13 @@ static gboolean rspamd_controller_check_password(
                ret = FALSE;
        }
        else {
+               if (rspamd_ftok_cstr_equal (password, "q1", FALSE) ||
+                               rspamd_ftok_cstr_equal (password, "q2", FALSE)) {
+                       msg_info_session ("deny default password for remote access");
+                       ret = FALSE;
+                       goto end;
+               }
+
                if (is_enable) {
                        /* For privileged commands we strictly require enable password */
                        if (ctx->enable_password != NULL) {
@@ -542,10 +549,6 @@ static gboolean rspamd_controller_check_password(
                        else {
                                msg_warn_session (
                                                "no password to check while executing a privileged command");
-                               if (ctx->secure_map) {
-                                       msg_info("deny unauthorized connection");
-                                       ret = FALSE;
-                               }
                                ret = FALSE;
                        }
                }
@@ -598,15 +601,16 @@ static gboolean rspamd_controller_check_password(
                }
        }
 
-       if (query_args != NULL) {
-               g_hash_table_unref (query_args);
-       }
-
        if (check_normal == FALSE && check_enable == FALSE) {
                msg_info ("absent or incorrect password has been specified");
                ret = FALSE;
        }
 
+end:
+       if (query_args != NULL) {
+               g_hash_table_unref (query_args);
+       }
+
        if (!ret) {
                rspamd_controller_send_error (entry, 403, "Unauthorized");
        }