diff options
author | Ted Trask <ttrask01@yahoo.com> | 2014-09-17 22:00:41 +0000 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2014-09-17 22:00:41 +0000 |
commit | 6bf932da3d45a1c176eba5bbfb0af2784bc67686 (patch) | |
tree | acb764b891edda42076cb81e8b051e1c4be7a74b | |
parent | 2ecbaa496a6f4545d9a883b714f426b53339f1ee (diff) | |
download | acf-freeradius3-6bf932da3d45a1c176eba5bbfb0af2784bc67686.tar.bz2 acf-freeradius3-6bf932da3d45a1c176eba5bbfb0af2784bc67686.tar.xz |
Changes to prevent blank passwords
-rw-r--r-- | freeradius3-model.lua | 27 |
1 files changed, 12 insertions, 15 deletions
diff --git a/freeradius3-model.lua b/freeradius3-model.lua index 078268b..9f87224 100644 --- a/freeradius3-model.lua +++ b/freeradius3-model.lua @@ -235,8 +235,7 @@ local get_passwd_entry_private = function(self, clientdata, create) if label == "Crypt-Password" then hash = entryline[i] -- We do not return the encrypted password, but will leave unchanged if blank - retval.value.fields.value[tostring(i)] = cfe({ type="password", label=label, seq=i }) - -- FIXME - this leads to inconsistent handling of blank password since this function is reused + retval.value.fields.value[tostring(i)] = cfe({ type="password", label=label, descr="Must not be blank", seq=i }) if not create then retval.value.fields.value[tostring(i)].descr="Leave blank to leave unchanged" end retval.value.fields.value["algorithm"..i] = cfe({ type="select", value="$6$", label="Algorithm", option={{value="", label="DES"}, {value="$1$", label="MD5"}, {value="$2a$07$", label="Blowfish"}, {value="$5$", label="SHA-256"}, {value="$6$", label="SHA-512"}}, seq=i }) -- Hide the algorithm so user does not use insecure algorithms unless they REALLY want to @@ -250,15 +249,19 @@ local get_passwd_entry_private = function(self, clientdata, create) end local update_passwd_entry_private = function(self, entry, create) - -- The password/index fields have already been validated + -- The filename/entry fields have already been validated if not entry.value.fields then entry.errtxt = "Invalid passwd entry" else -- The only fields we can validate are the password algorithms -- Don't search for 'select' cfe's because they have been changed to hidden + -- And check for blank password for n,v in pairs(entry.value.fields.value) do if v.option and not modelfunctions.validateselect(v) then - entry.errtxt = "Invalid passwd entry" + entry.errtxt = "Invalid passwd entry" + elseif v.type == "password" and v.value == "" and create then + v.errtxt = "Cannot be blank" + entry.errtxt = "Invalid passwd entry" end end if not entry.errtxt then @@ -266,7 +269,6 @@ local update_passwd_entry_private = function(self, entry, create) local content = fs.read_file_as_array(entry.value.filename.value) or {} local values = {} for n,v in pairs(entry.value.fields.value) do - -- FIXME - this leads to inconsistent handling of blank password since this function is reused if v.type=="password" and v.value=="" then -- Keep the same password local line = {} @@ -576,14 +578,11 @@ function mymodule.get_passwd(self, clientdata) end function mymodule.update_passwd(self, passwd) - if not passwd.value.entry then - passwd.errtxt = "Failed to set password" - return passwd - end - -- The password/index fields have already been validated - if not passwd.value.password then - passwd.errtxt = "Invalid passwd entry" - else + -- The filename/entry fields have already been validated + passwd.errtxt = "Failed to set password" + if passwd.value.password and passwd.value.password.value == "" then + passwd.value.password.errtxt = "Cannot be blank" + elseif passwd.value.entry and passwd.value.password then -- Get the entry form and current password hash local form,pwhash = get_passwd_entry_private(self, {filename=passwd.value.filename.value, entry=passwd.value.entry.value}, false) @@ -613,8 +612,6 @@ function mymodule.update_passwd(self, passwd) end form = update_passwd_entry_private(self, form, false) passwd.errtxt = form.errtxt - else - passwd.errtxt = "Failed to set password" end end return passwd |