From b51ee41b3d4c1f530e8d1a8850751251fa95b207 Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Sat, 14 Jun 2025 14:05:54 +0200 Subject: fix: Fix exposing password hashes in user edit page When an administrator edits a user entry, the user's password hash is present on the edit page. This is unnecessary. But it exposes the hash to an administrator who could choose to try to brute-force the hash and use the password on other logins of that user. This is an issue for administrative users who have no access to the actual database on disk but access to the user edit web page. --- .../com/gitblit/wicket/pages/EditUserPage.java | 38 ++++++++++++++-------- 1 file changed, 24 insertions(+), 14 deletions(-) (limited to 'src/main/java/com/gitblit/wicket/pages/EditUserPage.java') diff --git a/src/main/java/com/gitblit/wicket/pages/EditUserPage.java b/src/main/java/com/gitblit/wicket/pages/EditUserPage.java index c6014e8f..add83dce 100644 --- a/src/main/java/com/gitblit/wicket/pages/EditUserPage.java +++ b/src/main/java/com/gitblit/wicket/pages/EditUserPage.java @@ -93,8 +93,11 @@ public class EditUserPage extends RootSubPage { super.setupPage(getString("gb.edit"), userModel.username); } - final Model confirmPassword = new Model( - StringUtils.isEmpty(userModel.password) ? "" : userModel.password); + final Model confirmPassword = new Model(""); + + // Saving current password of user and clearing the one in the model so that it doesn't show up in the page. + final String oldPassword = userModel.password; + userModel.password = ""; CompoundPropertyModel model = new CompoundPropertyModel(userModel); // build list of projects including all repositories wildcards @@ -149,13 +152,15 @@ public class EditUserPage extends RootSubPage { boolean rename = !StringUtils.isEmpty(oldName) && !oldName.equalsIgnoreCase(username); if (app().authentication().supportsCredentialChanges(userModel)) { - if (!userModel.password.equals(confirmPassword.getObject())) { - error(getString("gb.passwordsDoNotMatch")); - return; - } - String password = userModel.password; - if (!PasswordHash.isHashedEntry(password)) { - // This is a plain text password. + + if (!StringUtils.isEmpty(userModel.password)) { + // The password was changed + String password = userModel.password; + if (!password.equals(confirmPassword.getObject())) { + error(getString("gb.passwordsDoNotMatch")); + return; + } + // Check length. int minLength = app().settings().getInteger(Keys.realm.minPasswordLength, 5); if (minLength < 4) { @@ -170,16 +175,19 @@ public class EditUserPage extends RootSubPage { // change the cookie userModel.cookie = userModel.createCookie(); - // Optionally store the password MD5 digest. + // Optionally store the password hash digest. String type = app().settings().getString(Keys.realm.passwordStorage, PasswordHash.getDefaultType().name()); PasswordHash pwdh = PasswordHash.instanceOf(type); if (pwdh != null) { // Hash the password userModel.password = pwdh.toHashedEntry(password, username); } - } else if (rename - && password.toUpperCase().startsWith(PasswordHash.Type.CMD5.name())) { - error(getString("gb.combinedMd5Rename")); - return; + } else { + if (rename && oldPassword.toUpperCase().startsWith(PasswordHash.Type.CMD5.name())) { + error(getString("gb.combinedMd5Rename")); + return; + } + // Set back saved password so that it is kept in the DB. + userModel.password = oldPassword; } } @@ -251,10 +259,12 @@ public class EditUserPage extends RootSubPage { form.add(new TextField("username").setEnabled(editCredentials)); NonTrimmedPasswordTextField passwordField = new NonTrimmedPasswordTextField("password"); passwordField.setResetPassword(false); + passwordField.setRequired(false); form.add(passwordField.setEnabled(editCredentials)); NonTrimmedPasswordTextField confirmPasswordField = new NonTrimmedPasswordTextField("confirmPassword", confirmPassword); confirmPasswordField.setResetPassword(false); + confirmPasswordField.setRequired(false); form.add(confirmPasswordField.setEnabled(editCredentials)); form.add(new TextField("displayName").setEnabled(editDisplayName)); form.add(new TextField("emailAddress").setEnabled(editEmailAddress)); -- cgit v1.2.3