securely compare passwords, add notice about message removal
This commit is contained in:
Aine
@@ -6,6 +6,8 @@ import (
|
||||
|
||||
"gitlab.com/etke.cc/go/mxidwc"
|
||||
"maunium.net/go/mautrix/id"
|
||||
|
||||
"gitlab.com/etke.cc/postmoogle/utils"
|
||||
)
|
||||
|
||||
func parseMXIDpatterns(patterns []string, defaultPattern string) ([]*regexp.Regexp, error) {
|
||||
@@ -78,5 +80,5 @@ func (b *Bot) AllowAuth(mailbox, password string) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
return cfg.Password() != "" && cfg.Password() == password
|
||||
return utils.Compare(password, cfg.Password())
|
||||
}
|
||||
|
||||
@@ -76,7 +76,6 @@ func (b *Bot) initCommands() commandList {
|
||||
{
|
||||
key: roomOptionPassword,
|
||||
description: "Get or set SMTP password of the room's mailbox",
|
||||
sanitizer: func(s string) string { return strings.TrimSpace(s) },
|
||||
allowed: b.allowOwner,
|
||||
},
|
||||
{allowed: b.allowOwner}, // delimiter
|
||||
|
||||
@@ -62,12 +62,17 @@ func (b *Bot) getOption(ctx context.Context, name string) {
|
||||
msg := fmt.Sprintf("`%s` of this room is `%s`\n"+
|
||||
"To set it to a new value, send a `%s %s VALUE` command.",
|
||||
name, value, b.prefix, name)
|
||||
if name == roomOptionPassword {
|
||||
msg = msg + "\n\n---\n\n" +
|
||||
"**Please, remove that message after reading.**"
|
||||
}
|
||||
b.SendNotice(ctx, evt.RoomID, msg)
|
||||
}
|
||||
|
||||
//nolint:gocognit
|
||||
func (b *Bot) setOption(ctx context.Context, name, value string) {
|
||||
cmd := b.commands.get(name)
|
||||
if cmd != nil {
|
||||
if cmd != nil && cmd.sanitizer != nil {
|
||||
value = cmd.sanitizer(value)
|
||||
}
|
||||
|
||||
@@ -104,5 +109,10 @@ func (b *Bot) setOption(ctx context.Context, name, value string) {
|
||||
return
|
||||
}
|
||||
|
||||
b.SendNotice(ctx, evt.RoomID, fmt.Sprintf("`%s` of this room set to `%s`", name, value))
|
||||
msg := fmt.Sprintf("`%s` of this room set to `%s`", name, value)
|
||||
if name == roomOptionPassword {
|
||||
msg = msg + "\n\n---\n\n" +
|
||||
"**Please, remove that message and the previous one.**"
|
||||
}
|
||||
b.SendNotice(ctx, evt.RoomID, msg)
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
package utils
|
||||
|
||||
import (
|
||||
"crypto/subtle"
|
||||
"strconv"
|
||||
"strings"
|
||||
)
|
||||
@@ -33,3 +34,24 @@ func Bool(str string) bool {
|
||||
func SanitizeBoolString(str string) string {
|
||||
return strconv.FormatBool(Bool(str))
|
||||
}
|
||||
|
||||
// Compare strings with constant time to prevent timing attacks
|
||||
func Compare(actual, expected string) bool {
|
||||
actualb := []byte(actual)
|
||||
expectedb := []byte(expected)
|
||||
|
||||
if expected == "" {
|
||||
// Just to keep constant time
|
||||
_ = subtle.ConstantTimeCompare(expectedb, expectedb) == 1
|
||||
return false
|
||||
}
|
||||
|
||||
// actual comparison
|
||||
if subtle.ConstantTimeEq(int32(len(actual)), int32(len(expected))) == 1 {
|
||||
return subtle.ConstantTimeCompare(actualb, expectedb) == 1
|
||||
}
|
||||
|
||||
// Just to keep constant time
|
||||
_ = subtle.ConstantTimeCompare(expectedb, expectedb) == 1
|
||||
return false
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user