From d96f2a71849ed312c3c69177f1cb7b4a174421da Mon Sep 17 00:00:00 2001 From: leonklingele Date: Wed, 21 Dec 2016 09:41:37 +0100 Subject: Fix random string generator (#3953) * Remove unused custom-alphabet feature of random string generator * Fix modulo-biased random string generator * Random string generator should return error if it fails to read random data via crypto/rand --- routers/admin/users.go | 6 +++++- routers/api/v1/admin/user.go | 6 +++++- routers/install.go | 7 ++++++- routers/user/auth.go | 17 ++++++++++++++--- routers/user/setting.go | 6 +++++- 5 files changed, 35 insertions(+), 7 deletions(-) (limited to 'routers') diff --git a/routers/admin/users.go b/routers/admin/users.go index eb91ea2f..6841da1f 100644 --- a/routers/admin/users.go +++ b/routers/admin/users.go @@ -192,7 +192,11 @@ func EditUserPost(ctx *context.Context, form auth.AdminEditUserForm) { if len(form.Password) > 0 { u.Passwd = form.Password - u.Salt = models.GetUserSalt() + var err error + if u.Salt, err = models.GetUserSalt(); err != nil { + ctx.Handle(500, "UpdateUser", err) + return + } u.EncodePasswd() } diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go index 6d38dee1..51e2bfe0 100644 --- a/routers/api/v1/admin/user.go +++ b/routers/api/v1/admin/user.go @@ -85,7 +85,11 @@ func EditUser(ctx *context.APIContext, form api.EditUserOption) { if len(form.Password) > 0 { u.Passwd = form.Password - u.Salt = models.GetUserSalt() + var err error + if u.Salt, err = models.GetUserSalt(); err != nil { + ctx.Error(500, "UpdateUser", err) + return + } u.EncodePasswd() } diff --git a/routers/install.go b/routers/install.go index 651f2f2f..e71424c6 100644 --- a/routers/install.go +++ b/routers/install.go @@ -343,7 +343,12 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) { cfg.Section("log").Key("ROOT_PATH").SetValue(form.LogRootPath) cfg.Section("security").Key("INSTALL_LOCK").SetValue("true") - cfg.Section("security").Key("SECRET_KEY").SetValue(base.GetRandomString(15)) + secretKey, err := base.GetRandomString(15) + if err != nil { + ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), INSTALL, &form) + return + } + cfg.Section("security").Key("SECRET_KEY").SetValue(secretKey) os.MkdirAll(filepath.Dir(setting.CustomConf), os.ModePerm) if err := cfg.SaveTo(setting.CustomConf); err != nil { diff --git a/routers/user/auth.go b/routers/user/auth.go index 7117f1ec..cd929fa7 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -273,7 +273,11 @@ func Activate(ctx *context.Context) { // Verify code. if user := models.VerifyUserActiveCode(code); user != nil { user.IsActive = true - user.Rands = models.GetUserSalt() + var err error + if user.Rands, err = models.GetUserSalt(); err != nil { + ctx.Handle(500, "UpdateUser", err) + return + } if err := models.UpdateUser(user); err != nil { if models.IsErrUserNotExist(err) { ctx.Error(404) @@ -407,8 +411,15 @@ func ResetPasswdPost(ctx *context.Context) { } u.Passwd = passwd - u.Rands = models.GetUserSalt() - u.Salt = models.GetUserSalt() + var err error + if u.Rands, err = models.GetUserSalt(); err != nil { + ctx.Handle(500, "UpdateUser", err) + return + } + if u.Salt, err = models.GetUserSalt(); err != nil { + ctx.Handle(500, "UpdateUser", err) + return + } u.EncodePasswd() if err := models.UpdateUser(u); err != nil { ctx.Handle(500, "UpdateUser", err) diff --git a/routers/user/setting.go b/routers/user/setting.go index 10e8fd02..35bff326 100644 --- a/routers/user/setting.go +++ b/routers/user/setting.go @@ -189,7 +189,11 @@ func SettingsPasswordPost(ctx *context.Context, form auth.ChangePasswordForm) { ctx.Flash.Error(ctx.Tr("form.password_not_match")) } else { ctx.User.Passwd = form.Password - ctx.User.Salt = models.GetUserSalt() + var err error + if ctx.User.Salt, err = models.GetUserSalt(); err != nil { + ctx.Handle(500, "UpdateUser", err) + return + } ctx.User.EncodePasswd() if err := models.UpdateUser(ctx.User); err != nil { ctx.Handle(500, "UpdateUser", err) -- cgit v1.2.3