From 40cc8b670fac26f10f20026a8c75f42ca097a898 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Mon, 10 Oct 2022 23:56:09 +0100
Subject: [PATCH] [Fix] Try to fix the case where password == enable_password

Issue: #4306
---
 src/controller.c | 36 ++++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/src/controller.c b/src/controller.c
index 28677a906..2fff89eb4 100644
--- a/src/controller.c
+++ b/src/controller.c
@@ -511,7 +511,7 @@ rspamd_controller_check_password (struct rspamd_http_connection_entry *entry,
 	rspamd_ftok_t lookup;
 	GHashTable *query_args = NULL;
 	struct rspamd_controller_worker_ctx *ctx = session->ctx;
-	gboolean check_normal = TRUE, check_enable = TRUE, ret = TRUE,
+	gboolean check_normal = FALSE, check_enable = FALSE, ret = TRUE,
 		use_enable = FALSE;
 	const struct rspamd_controller_pbkdf *pbkdf = NULL;
 
@@ -653,17 +653,36 @@ rspamd_controller_check_password (struct rspamd_http_connection_entry *entry,
 
 				if (check_normal) {
 					if (ctx->enable_password == NULL) {
-						/* We have passed password check and no enable password is specified (*/
+						/* We have passed password check and no enable password is specified */
 						session->is_read_only = FALSE;
 					}
+					else {
+						/*
+						 * Even if we have passed normal password check, we don't really
+						 * know if password == enable_password, so we need to check it
+						 * as well, to decide if we are in read-only mode or not
+						 */
+						check = ctx->enable_password;
+
+						if (!rspamd_is_encrypted_password (check, &pbkdf)) {
+							check_enable = FALSE;
+
+							if (strlen (check) == password->len) {
+								check_enable = rspamd_constant_memcmp (password->begin,
+										check,
+										password->len);
+							}
+						}
+						else {
+							check_enable = rspamd_check_encrypted_password (ctx,
+									password,
+									check, pbkdf, TRUE);
+						}
+					}
 				}
-
-			}
-			else {
-				check_normal = FALSE;
 			}
 
-			if (!check_normal && ctx->enable_password != NULL) {
+			if ((!check_normal && !check_enable) && ctx->enable_password != NULL) {
 				check = ctx->enable_password;
 
 				if (!rspamd_is_encrypted_password (check, &pbkdf)) {
@@ -681,9 +700,6 @@ rspamd_controller_check_password (struct rspamd_http_connection_entry *entry,
 							check, pbkdf, TRUE);
 				}
 			}
-			else {
-				check_enable = FALSE;
-			}
 
 			if (check_enable) {
 				/* We have passed enable password check, not a read-only mode */
-- 
2.39.5