diff options
| author | Omar Roth <omarroth@protonmail.com> | 2019-05-27 09:06:32 -0500 |
|---|---|---|
| committer | Omar Roth <omarroth@protonmail.com> | 2019-05-27 09:06:32 -0500 |
| commit | f820706e4f6cfdaea8990c03bfb6bfceaf4188be (patch) | |
| tree | cac1ea04e4353910d5937c7ba0e47a1400d87596 /src | |
| parent | 29e9e0f2cc9d0d81ef2978c8f9dfc1810588bd0d (diff) | |
| download | invidious-f820706e4f6cfdaea8990c03bfb6bfceaf4188be.tar.gz invidious-f820706e4f6cfdaea8990c03bfb6bfceaf4188be.tar.bz2 invidious-f820706e4f6cfdaea8990c03bfb6bfceaf4188be.zip | |
Truncate password to 55 bytes
Diffstat (limited to 'src')
| -rw-r--r-- | src/invidious.cr | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/src/invidious.cr b/src/invidious.cr index a7cd137c..ad4401a7 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -1073,7 +1073,7 @@ post "/login" do |env| next templated "error" end - if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password + if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password.byte_slice(0, 55) sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now) @@ -1107,6 +1107,19 @@ post "/login" do |env| next templated "error" end + if password.empty? + error_message = translate(locale, "Password cannot be empty") + next templated "error" + end + + # See https://security.stackexchange.com/a/39851 + if password.bytesize > 55 + error_message = translate(locale, "Password should not be longer than 55 characters") + next templated "error" + end + + password = password.byte_slice(0, 55) + if config.captcha_enabled captcha_type = env.params.body["captcha_type"]? answer = env.params.body["answer"]? @@ -1168,17 +1181,6 @@ post "/login" do |env| end end - if password.empty? - error_message = translate(locale, "Password cannot be empty") - next templated "error" - end - - # See https://security.stackexchange.com/a/39851 - if password.size > 55 - error_message = translate(locale, "Password cannot be longer than 55 characters") - next templated "error" - end - sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) user, sid = create_user(sid, email, password) user_array = user.to_a |