mirror of
https://gitea.invidious.io/iv-org/invidious-copy-2023-06-08.git
synced 2024-08-15 00:53:38 +00:00
Truncate password to 55 bytes
This commit is contained in:
parent
29e9e0f2cc
commit
f820706e4f
1 changed files with 14 additions and 12 deletions
|
@ -1073,7 +1073,7 @@ post "/login" do |env|
|
||||||
next templated "error"
|
next templated "error"
|
||||||
end
|
end
|
||||||
|
|
||||||
if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password
|
if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password.byte_slice(0, 55)
|
||||||
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
|
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
|
||||||
PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now)
|
PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now)
|
||||||
|
|
||||||
|
@ -1107,6 +1107,19 @@ post "/login" do |env|
|
||||||
next templated "error"
|
next templated "error"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if password.empty?
|
||||||
|
error_message = translate(locale, "Password cannot be empty")
|
||||||
|
next templated "error"
|
||||||
|
end
|
||||||
|
|
||||||
|
# See https://security.stackexchange.com/a/39851
|
||||||
|
if password.bytesize > 55
|
||||||
|
error_message = translate(locale, "Password should not be longer than 55 characters")
|
||||||
|
next templated "error"
|
||||||
|
end
|
||||||
|
|
||||||
|
password = password.byte_slice(0, 55)
|
||||||
|
|
||||||
if config.captcha_enabled
|
if config.captcha_enabled
|
||||||
captcha_type = env.params.body["captcha_type"]?
|
captcha_type = env.params.body["captcha_type"]?
|
||||||
answer = env.params.body["answer"]?
|
answer = env.params.body["answer"]?
|
||||||
|
@ -1168,17 +1181,6 @@ post "/login" do |env|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
if password.empty?
|
|
||||||
error_message = translate(locale, "Password cannot be empty")
|
|
||||||
next templated "error"
|
|
||||||
end
|
|
||||||
|
|
||||||
# See https://security.stackexchange.com/a/39851
|
|
||||||
if password.size > 55
|
|
||||||
error_message = translate(locale, "Password cannot be longer than 55 characters")
|
|
||||||
next templated "error"
|
|
||||||
end
|
|
||||||
|
|
||||||
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
|
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
|
||||||
user, sid = create_user(sid, email, password)
|
user, sid = create_user(sid, email, password)
|
||||||
user_array = user.to_a
|
user_array = user.to_a
|
||||||
|
|
Loading…
Reference in a new issue