From f820706e4f6cfdaea8990c03bfb6bfceaf4188be Mon Sep 17 00:00:00 2001 From: Omar Roth Date: Mon, 27 May 2019 09:06:32 -0500 Subject: [PATCH] Truncate password to 55 bytes --- src/invidious.cr | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/src/invidious.cr b/src/invidious.cr index a7cd137c..ad4401a7 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -1073,7 +1073,7 @@ post "/login" do |env| next templated "error" end - if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password + if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password.byte_slice(0, 55) sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now) @@ -1107,6 +1107,19 @@ post "/login" do |env| next templated "error" end + if password.empty? + error_message = translate(locale, "Password cannot be empty") + next templated "error" + end + + # See https://security.stackexchange.com/a/39851 + if password.bytesize > 55 + error_message = translate(locale, "Password should not be longer than 55 characters") + next templated "error" + end + + password = password.byte_slice(0, 55) + if config.captcha_enabled captcha_type = env.params.body["captcha_type"]? answer = env.params.body["answer"]? @@ -1168,17 +1181,6 @@ post "/login" do |env| end end - if password.empty? - error_message = translate(locale, "Password cannot be empty") - next templated "error" - end - - # See https://security.stackexchange.com/a/39851 - if password.size > 55 - error_message = translate(locale, "Password cannot be longer than 55 characters") - next templated "error" - end - sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) user, sid = create_user(sid, email, password) user_array = user.to_a