Check password hash validity

diff --git a/src/base64.cpp b/src/base64.cpp
index 0dfba501303aa4606232c5f667f35f6ea895b86c..90d4de20321c29f87d0f5caa19c8d66822024392 100644 (file)
--- a/src/base64.cpp
+++ b/src/base64.cpp
@@ -38,6 +38,13 @@ static inline bool is_base64(unsigned char c) {
   return (isalnum(c) || (c == '+') || (c == '/'));
 }
 
+bool base64_is_valid(std::string const& s)
+{
+       for(int i=0; i<s.size(); i++)
+               if(!is_base64(s[i])) return false;
+       return true;
+}
+
 std::string base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len) {
   std::string ret;
   int i = 0;

diff --git a/src/base64.h b/src/base64.h
index 65d5db8b22cbb4c14c920cec79c542a454a1ae91..a29e69687774e1b0e6f66bfd5adfae8aa9625e51 100644 (file)
--- a/src/base64.h
+++ b/src/base64.h
@@ -1,4 +1,5 @@
 #include <string>
 
+bool base64_is_valid(std::string const& s);
 std::string base64_encode(unsigned char const* , unsigned int len);
 std::string base64_decode(std::string const& s);

diff --git a/src/server.cpp b/src/server.cpp
index 52e9dc879c5560d1311308f1980fa4886ad142a9..97d609503fa9665550b0be6ec8ed5db2c07139ca 100644 (file)
--- a/src/server.cpp
+++ b/src/server.cpp
@@ -39,6 +39,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
 #include "settings.h"
 #include "profiler.h"
 #include "log.h"
+#include "base64.h"
 
 #define PP(x) "("<<(x).X<<","<<(x).Y<<","<<(x).Z<<")"
 
@@ -1961,6 +1962,12 @@ void Server::ProcessData(u8 *data, u32 datasize, u16 peer_id)
                                }
                                password[PASSWORD_SIZE-1] = 0;
                }
+
+               if(!base64_is_valid(password)){
+                       infostream<<"Server: "<<playername<<" supplied invalid password hash"<<std::endl;
+                       SendAccessDenied(m_con, peer_id, L"Invalid password hash");
+                       return;
+               }
                
                std::string checkpwd;
                if(m_authmanager.exists(playername))
@@ -3265,6 +3272,13 @@ void Server::ProcessData(u8 *data, u32 datasize, u16 peer_id)
                        newpwd += c;
                }
 
+               if(!base64_is_valid(newpwd)){
+                       infostream<<"Server: "<<player->getName()<<" supplied invalid password hash"<<std::endl;
+                       // Wrong old password supplied!!
+                       SendChatMessage(peer_id, L"Invalid new password hash supplied. Password NOT changed.");
+                       return;
+               }
+
                infostream<<"Server: Client requests a password change from "
                                <<"'"<<oldpwd<<"' to '"<<newpwd<<"'"<<std::endl;