search

ocf / ocflib

Python libraries for account and server management
https://pypi.python.org/pypi/ocflib
Other
15 stars 32 forks source link

Investigate text encoding for passwords #186

Open dkess opened 5 years ago

dkess commented 5 years ago

Interesting rootspam from last night:

 An exception occured in ocfweb:

Traceback (most recent call last):
  File "/opt/ocfweb/venv/lib/python3.7/site-packages/django/core/handlers/base.py", line 113, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/ocfweb/ocfweb/auth.py", line 53, in wrapper
    return fn(request, *args, **kwargs)
  File "/opt/ocfweb/ocfweb/account/register.py", line 75, in request_account
    RSA.importKey(CREATE_PUBLIC_KEY),
  File "/opt/ocfweb/venv/lib/python3.7/site-packages/ocflib/account/creation.py", line 435, in encrypt_password
    return RSA_CIPHER.encrypt(password.encode('ascii'))
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-5: ordinal not in range(128)

Request:
  * Host: www.ocf.berkeley.edu
  * Path: /account/register/
  * Method: POST
  * Secure: True

I assume this is from someone trying to use non-ascii character in their password. I am not sure what the best practices for this are, but we should investigate this further and see if we can avoid using the ascii encoding.

zpfeiffer commented 5 years ago

I'm also not sure what the best practice here is but as far as preventing this error goes it seems to be a problem with the password validation. validate_password should reject non-ascii characters here, but validate_password isn't called until the NewAccountRequest is created, by which point the non-ascii characters have already been passed to encrypt_password.

Perhaps a short term fix could be to validate the password before creating the NewAccountRequest and a long term fix could be to change the encoding used for encrypted passwords to something more general like password.encode('base64','strict') (assuming that no other software requires ascii-only passwords).

dkess commented 5 years ago

You have to be careful with full Unicode passwords since you don't want to allow passwords that users won't be able to type. Unicode is full of surprises and edge cases. For now, let's stick with ASCII and if you want to go beyond that, do some research on the state-of-the-art and implement what's done elsewhere in a separate, future commit.

bzh-bzh commented 5 years ago

Tfw no emoji passwords 😭

ethanhs commented 5 years ago

TIL https://tools.ietf.org/html/rfc8265

E: also I have someone in mind to ask about sources of how to handle Unicode correctly.