[CritFix] Fix unencrypted passwords processing in the controller

Reported by: @kvaps
author: Vsevolod Stakhov <vsevolod@highsecure.ru> 2016-06-01 22:25:25 +0200
committer: Vsevolod Stakhov <vsevolod@highsecure.ru> 2016-06-01 22:25:25 +0200
commit: 6b0653316614412638de02476e76cdcf923d009a (patch)
tree: edaad6c5ba907386961fac517f375e1abb3a8d5e /src/controller.c
parent: 1edc26d06d1dc34b7a0489fee95bf33af4ace94e (diff)
download: rspamd-6b0653316614412638de02476e76cdcf923d009a.tar.gz
rspamd-6b0653316614412638de02476e76cdcf923d009a.zip
1 files changed, 25 insertions, 6 deletions
diff --git a/src/controller.c b/src/controller.c
index 9bb6b3a3a..91f4cfed6 100644
--- a/src/controller.c
+++ b/src/controller.c
@@ -504,9 +504,15 @@ static gboolean rspamd_controller_check_password(
 						"using password as enable_password for a privileged command");
 				check = ctx->password;
 			}
+
 			if (check != NULL) {
 				if (!rspamd_is_encrypted_password (check, &pbkdf)) {
-					ret = rspamd_constant_memcmp (password->begin, check, password->len);
+					ret = FALSE;
+
+					if (strlen (check) == password->len) {
+						ret = rspamd_constant_memcmp (password->begin, check,
+								password->len);
+					}
 				}
 				else {
 					ret = rspamd_check_encrypted_password (ctx, password, check,
@@ -527,9 +533,15 @@ static gboolean rspamd_controller_check_password(
 			/* Accept both normal and enable passwords */
 			if (ctx->password != NULL) {
 				check = ctx->password;
+
 				if (!rspamd_is_encrypted_password (check, &pbkdf)) {
-					check_normal = rspamd_constant_memcmp (password->begin, check,
-							password->len);
+					check_normal = FALSE;
+
+					if (strlen (check) == password->len) {
+						check_normal = rspamd_constant_memcmp (password->begin,
+								check,
+								password->len);
+					}
 				}
 				else {
 					check_normal = rspamd_check_encrypted_password (ctx,
@@ -541,11 +553,18 @@ static gboolean rspamd_controller_check_password(
 			else {
 				check_normal = FALSE;
 			}
+
 			if (ctx->enable_password != NULL) {
 				check = ctx->enable_password;
+
 				if (!rspamd_is_encrypted_password (check, &pbkdf)) {
-					check_enable = rspamd_constant_memcmp (password->begin, check,
-							password->len);
+					check_enable = FALSE;
+
+					if (strlen (check) == password->len) {
+						check_enable = rspamd_constant_memcmp (password->begin,
+								check,
+								password->len);
+					}
 				}
 				else {
 					check_enable = rspamd_check_encrypted_password (ctx,
@@ -564,7 +583,7 @@ static gboolean rspamd_controller_check_password(
 	}
 
 	if (check_normal == FALSE && check_enable == FALSE) {
-		msg_info("absent or incorrect password has been specified");
+		msg_info ("absent or incorrect password has been specified");
 		ret = FALSE;
 	}
author	Vsevolod Stakhov <vsevolod@highsecure.ru>	2016-06-01 22:25:25 +0200
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>	2016-06-01 22:25:25 +0200
commit	6b0653316614412638de02476e76cdcf923d009a (patch)
tree	edaad6c5ba907386961fac517f375e1abb3a8d5e /src/controller.c
parent	1edc26d06d1dc34b7a0489fee95bf33af4ace94e (diff)
download	rspamd-6b0653316614412638de02476e76cdcf923d009a.tar.gz rspamd-6b0653316614412638de02476e76cdcf923d009a.zip