callrbx
commented
6 years ago Confirmed. You CAN login with any password. This is a dumb mistake.
Closed BenGardiner closed 6 years ago
callrbx
commented
6 years ago Confirmed. You CAN login with any password. This is a dumb mistake.
BenGardiner
commented
6 years ago Whew. I guess I earned my keep on this code review 😎
On Tue, Aug 28, 2018, 20:48 Drew Parker notifications@github.com wrote:
Closed #11 https://github.com/reap3r/firewall/issues/11.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/reap3r/firewall/issues/11#event-1814456866, or mute the thread https://github.com/notifications/unsubscribe-auth/AAO2eXXqwS5wfDDU1B6VBSgk4hXAUBV2ks5uVeTcgaJpZM4WQRq1 .
https://github.com/reap3r/firewall/blob/f68a1bca6b5627714e34fe9aebb914720be59bed/appliance/app/models.py#L35
this is returning non-false for any non-false hash value; i.e. I think anyone can login with any password ATM.
follow-on bug: integration tests are warranted for at least
/login.