From 40cc8b670fac26f10f20026a8c75f42ca097a898 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Mon, 10 Oct 2022 23:56:09 +0100 Subject: [Fix] Try to fix the case where password == enable_password Issue: #4306 --- src/controller.c | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) (limited to 'src/controller.c') diff --git a/src/controller.c b/src/controller.c index 28677a906..2fff89eb4 100644 --- a/src/controller.c +++ b/src/controller.c @@ -511,7 +511,7 @@ rspamd_controller_check_password (struct rspamd_http_connection_entry *entry, rspamd_ftok_t lookup; GHashTable *query_args = NULL; struct rspamd_controller_worker_ctx *ctx = session->ctx; - gboolean check_normal = TRUE, check_enable = TRUE, ret = TRUE, + gboolean check_normal = FALSE, check_enable = FALSE, ret = TRUE, use_enable = FALSE; const struct rspamd_controller_pbkdf *pbkdf = NULL; @@ -653,17 +653,36 @@ rspamd_controller_check_password (struct rspamd_http_connection_entry *entry, if (check_normal) { if (ctx->enable_password == NULL) { - /* We have passed password check and no enable password is specified (*/ + /* We have passed password check and no enable password is specified */ session->is_read_only = FALSE; } + else { + /* + * Even if we have passed normal password check, we don't really + * know if password == enable_password, so we need to check it + * as well, to decide if we are in read-only mode or not + */ + check = ctx->enable_password; + + if (!rspamd_is_encrypted_password (check, &pbkdf)) { + check_enable = FALSE; + + if (strlen (check) == password->len) { + check_enable = rspamd_constant_memcmp (password->begin, + check, + password->len); + } + } + else { + check_enable = rspamd_check_encrypted_password (ctx, + password, + check, pbkdf, TRUE); + } + } } - - } - else { - check_normal = FALSE; } - if (!check_normal && ctx->enable_password != NULL) { + if ((!check_normal && !check_enable) && ctx->enable_password != NULL) { check = ctx->enable_password; if (!rspamd_is_encrypted_password (check, &pbkdf)) { @@ -681,9 +700,6 @@ rspamd_controller_check_password (struct rspamd_http_connection_entry *entry, check, pbkdf, TRUE); } } - else { - check_enable = FALSE; - } if (check_enable) { /* We have passed enable password check, not a read-only mode */ -- cgit v1.2.3