diff options
author | Vsevolod Stakhov <vsevolod@rspamd.com> | 2022-10-10 23:56:09 +0100 |
---|---|---|
committer | Vsevolod Stakhov <vsevolod@rspamd.com> | 2022-10-10 23:56:52 +0100 |
commit | 40cc8b670fac26f10f20026a8c75f42ca097a898 (patch) | |
tree | ea9980c6fe69c76b463633ca2eb780f46ba50e7f /src | |
parent | c86b28185a6875e7dd805fc8a161f64f6af543c4 (diff) | |
download | rspamd-40cc8b670fac26f10f20026a8c75f42ca097a898.tar.gz rspamd-40cc8b670fac26f10f20026a8c75f42ca097a898.zip |
[Fix] Try to fix the case where password == enable_password
Issue: #4306
Diffstat (limited to 'src')
-rw-r--r-- | src/controller.c | 36 |
1 files changed, 26 insertions, 10 deletions
diff --git a/src/controller.c b/src/controller.c index 28677a906..2fff89eb4 100644 --- a/src/controller.c +++ b/src/controller.c @@ -511,7 +511,7 @@ rspamd_controller_check_password (struct rspamd_http_connection_entry *entry, rspamd_ftok_t lookup; GHashTable *query_args = NULL; struct rspamd_controller_worker_ctx *ctx = session->ctx; - gboolean check_normal = TRUE, check_enable = TRUE, ret = TRUE, + gboolean check_normal = FALSE, check_enable = FALSE, ret = TRUE, use_enable = FALSE; const struct rspamd_controller_pbkdf *pbkdf = NULL; @@ -653,17 +653,36 @@ rspamd_controller_check_password (struct rspamd_http_connection_entry *entry, if (check_normal) { if (ctx->enable_password == NULL) { - /* We have passed password check and no enable password is specified (*/ + /* We have passed password check and no enable password is specified */ session->is_read_only = FALSE; } + else { + /* + * Even if we have passed normal password check, we don't really + * know if password == enable_password, so we need to check it + * as well, to decide if we are in read-only mode or not + */ + check = ctx->enable_password; + + if (!rspamd_is_encrypted_password (check, &pbkdf)) { + check_enable = FALSE; + + if (strlen (check) == password->len) { + check_enable = rspamd_constant_memcmp (password->begin, + check, + password->len); + } + } + else { + check_enable = rspamd_check_encrypted_password (ctx, + password, + check, pbkdf, TRUE); + } + } } - - } - else { - check_normal = FALSE; } - if (!check_normal && ctx->enable_password != NULL) { + if ((!check_normal && !check_enable) && ctx->enable_password != NULL) { check = ctx->enable_password; if (!rspamd_is_encrypted_password (check, &pbkdf)) { @@ -681,9 +700,6 @@ rspamd_controller_check_password (struct rspamd_http_connection_entry *entry, check, pbkdf, TRUE); } } - else { - check_enable = FALSE; - } if (check_enable) { /* We have passed enable password check, not a read-only mode */ |