Open aAlexanderLeben opened 4 months ago
Problems occur in install#L102 when calling
password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())")
Trying to construct a byte literal using b\"$password\"
produces a syntax error, e.g.
>>> test_byte = b"ê"
File "<stdin>", line 1
test_byte = b"ê"
^^^^
SyntaxError: bytes can only contain ASCII literal characters
From https://docs.python.org/3/reference/lexical_analysis.html#string-and-bytes-literals
Bytes literals [...] may only contain ASCII characters;
See https://github.com/pyca/bcrypt/tree/main?tab=readme-ov-file#maximum-password-length
>>> import bcrypt
>>> salt = bcrypt.gensalt(rounds=10)
>>> ok_password = b"2wvKFD7C0FbfATxP9aK5eWa2BbiwEuaFjRkM4tSo6c72atn20CJYV2NRBDrfVvg451ZHbaYK"
>>> problematic_password = ok_password + b"padding"
>>> bcrypt.hashpw(ok_password, salt) == bcrypt.hashpw(problematic_password, salt)
True
Add validation to config_panel.toml
, not very sure about the syntax, but you should get the idea. Maybe a lower limit should be introduced as well. And maybe there are more perks to it that I did not notice.
Eplaination of the regexp [ -~]
can be found on https://catonmat.net/my-favorite-regex
[main.extra.new_password]
pattern.regexp = '[ -~]{,72}'
pattern.error.en = "Your password must only contain ASCII characters and cannot have more than 72 characters
Describe the bug
There is no pre-validation of the
main.extra.new_password
fromconfig_panel.toml
which leads to errors at installation step.Context
Steps to reproduce
VWÎQF¯ê6Ò´3ÜÂû°QOÔQà8±©¨6àaÕ¨Há§ïN¨ZµÆøYpsVçiUBò¼T¸H²NügÙÒ¸ûÃ6¤0
Expected behavior
A check of the password should be performed before attempting an installation.
Logs
https://paste.yunohost.org/raw/uxiduferob