server: Ensure that password is nonempty when verifying with rcrypt

next
Sayan Nandan 6 months ago
parent 093688e102
commit b83e42af26
No known key found for this signature in database
GPG Key ID: 0EBD769024B24F0A

@ -84,14 +84,19 @@ impl SystemDatabase {
.read() .read()
.get(username) .get(username)
.map(|user| { .map(|user| {
if rcrypt::verify(password, &user.phash).unwrap() { if password.is_empty() {
return VerifyUser::IncorrectPassword;
}
match rcrypt::verify(password, user.hash()) {
Ok(true) => {
if username == Self::ROOT_ACCOUNT { if username == Self::ROOT_ACCOUNT {
VerifyUser::OkayRoot VerifyUser::OkayRoot
} else { } else {
VerifyUser::Okay VerifyUser::Okay
} }
} else { }
VerifyUser::IncorrectPassword Ok(false) => VerifyUser::IncorrectPassword,
Err(_) => unreachable!(),
} }
}) })
.unwrap_or(VerifyUser::NotFound) .unwrap_or(VerifyUser::NotFound)

Loading…
Cancel
Save