Mirrors/overte
3
0
Fork 0
mirror of https://github.com/overte-org/overte.git synced 2025-08-09 07:19:05 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

empty passwords will no longer allow any password to pass DS HTTP auth

Browse source
This commit is contained in:
seefo 2017-05-23 12:01:00 -07:00
parent 207c13c3c3
commit 8a8f971186
2 changed files with 6 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
domain-server/resources/describe-settings.json
View file

@ -157,7 +157,8 @@
"name": "http_password", "name": "http_password",
"label": "HTTP Password", "label": "HTTP Password",
"type": "password", "type": "password",
"help": "Password used for basic HTTP authentication. Leave this blank if you do not want to change it.", "help": "Password used for basic HTTP authentication. Leave this alone if you do not want to change it.",
"default" : "password",
"value-hidden": true "value-hidden": true
}, },
{ {

8
domain-server/src/DomainServer.cpp
View file

@ -2114,10 +2114,10 @@ bool DomainServer::isAuthenticatedRequest(HTTPConnection* connection, const QUrl
const QVariant* settingsPasswordVariant = valueForKeyPath(settingsMap, BASIC_AUTH_PASSWORD_KEY_PATH); const QVariant* settingsPasswordVariant = valueForKeyPath(settingsMap, BASIC_AUTH_PASSWORD_KEY_PATH);
QString settingsPassword = settingsPasswordVariant ? settingsPasswordVariant->toString() : ""; QString settingsPassword = settingsPasswordVariant ? settingsPasswordVariant->toString() : "";
QString hexHeaderPassword = QCryptographicHash::hash(headerPassword.toUtf8(), QCryptographicHash::Sha256).toHex(); QString hexHeaderPassword = headerPassword.isEmpty() ?
"" : QCryptographicHash::hash(headerPassword.toUtf8(), QCryptographicHash::Sha256).toHex();
if (settingsUsername == headerUsername
&& (settingsPassword.isEmpty() || hexHeaderPassword == settingsPassword)) { if (settingsUsername == headerUsername && hexHeaderPassword == settingsPassword) {
return true; return true;
} }
} }