From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Wed, 1 Jun 2016 20:25:25 +0000 (+0200)
Subject: [CritFix] Fix unencrypted passwords processing in the controller
X-Git-Tag: 1.3.0~412
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=6b0653316614412638de02476e76cdcf923d009a;p=rspamd.git

[CritFix] Fix unencrypted passwords processing in the controller

Reported by: @kvaps
---

diff --git a/src/controller.c b/src/controller.c
index 9bb6b3a3a..91f4cfed6 100644
--- a/src/controller.c
+++ b/src/controller.c
@@ -504,9 +504,15 @@ static gboolean rspamd_controller_check_password(
 						"using password as enable_password for a privileged command");
 				check = ctx->password;
 			}
+
 			if (check != NULL) {
 				if (!rspamd_is_encrypted_password (check, &pbkdf)) {
-					ret = rspamd_constant_memcmp (password->begin, check, password->len);
+					ret = FALSE;
+
+					if (strlen (check) == password->len) {
+						ret = rspamd_constant_memcmp (password->begin, check,
+								password->len);
+					}
 				}
 				else {
 					ret = rspamd_check_encrypted_password (ctx, password, check,
@@ -527,9 +533,15 @@ static gboolean rspamd_controller_check_password(
 			/* Accept both normal and enable passwords */
 			if (ctx->password != NULL) {
 				check = ctx->password;
+
 				if (!rspamd_is_encrypted_password (check, &pbkdf)) {
-					check_normal = rspamd_constant_memcmp (password->begin, check,
-							password->len);
+					check_normal = FALSE;
+
+					if (strlen (check) == password->len) {
+						check_normal = rspamd_constant_memcmp (password->begin,
+								check,
+								password->len);
+					}
 				}
 				else {
 					check_normal = rspamd_check_encrypted_password (ctx,
@@ -541,11 +553,18 @@ static gboolean rspamd_controller_check_password(
 			else {
 				check_normal = FALSE;
 			}
+
 			if (ctx->enable_password != NULL) {
 				check = ctx->enable_password;
+
 				if (!rspamd_is_encrypted_password (check, &pbkdf)) {
-					check_enable = rspamd_constant_memcmp (password->begin, check,
-							password->len);
+					check_enable = FALSE;
+
+					if (strlen (check) == password->len) {
+						check_enable = rspamd_constant_memcmp (password->begin,
+								check,
+								password->len);
+					}
 				}
 				else {
 					check_enable = rspamd_check_encrypted_password (ctx,
@@ -564,7 +583,7 @@ static gboolean rspamd_controller_check_password(
 	}
 
 	if (check_normal == FALSE && check_enable == FALSE) {
-		msg_info("absent or incorrect password has been specified");
+		msg_info ("absent or incorrect password has been specified");
 		ret = FALSE;
 	}