Truncate password to 55 bytes
This commit is contained in:
parent
29e9e0f2cc
commit
f820706e4f
1 changed files with 14 additions and 12 deletions
|
@ -1073,7 +1073,7 @@ post "/login" do |env|
|
|||
next templated "error"
|
||||
end
|
||||
|
||||
if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password
|
||||
if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password.byte_slice(0, 55)
|
||||
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
|
||||
PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now)
|
||||
|
||||
|
@ -1107,6 +1107,19 @@ post "/login" do |env|
|
|||
next templated "error"
|
||||
end
|
||||
|
||||
if password.empty?
|
||||
error_message = translate(locale, "Password cannot be empty")
|
||||
next templated "error"
|
||||
end
|
||||
|
||||
# See https://security.stackexchange.com/a/39851
|
||||
if password.bytesize > 55
|
||||
error_message = translate(locale, "Password should not be longer than 55 characters")
|
||||
next templated "error"
|
||||
end
|
||||
|
||||
password = password.byte_slice(0, 55)
|
||||
|
||||
if config.captcha_enabled
|
||||
captcha_type = env.params.body["captcha_type"]?
|
||||
answer = env.params.body["answer"]?
|
||||
|
@ -1168,17 +1181,6 @@ post "/login" do |env|
|
|||
end
|
||||
end
|
||||
|
||||
if password.empty?
|
||||
error_message = translate(locale, "Password cannot be empty")
|
||||
next templated "error"
|
||||
end
|
||||
|
||||
# See https://security.stackexchange.com/a/39851
|
||||
if password.size > 55
|
||||
error_message = translate(locale, "Password cannot be longer than 55 characters")
|
||||
next templated "error"
|
||||
end
|
||||
|
||||
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
|
||||
user, sid = create_user(sid, email, password)
|
||||
user_array = user.to_a
|
||||
|
|
Loading…
Reference in a new issue