htpasswd: don't strip whitespaces and allow ':' in plain password

2025-06-26 16:45:52 +00:00 · 2017-08-17 06:46:38 +02:00 · 2017-08-17 06:46:38 +02:00 · 73038e518a
commit 73038e518a
parent a73a7ab193
2 changed files with 29 additions and 11 deletions
--- a/radicale/auth.py
+++ b/radicale/auth.py
@ -170,16 +170,18 @@ class Auth(BaseAuth):

    def _crypt(self, crypt, hash_value, password):
        """Check if ``hash_value`` and ``password`` match, crypt method."""
+        hash_value = hash_value.strip()
        return hmac.compare_digest(crypt.crypt(password, hash_value),
                                   hash_value)

    def _sha1(self, hash_value, password):
        """Check if ``hash_value`` and ``password`` match, sha1 method."""
-        hash_value = hash_value.replace("{SHA}", "").encode("ascii")
+        hash_value = base64.b64decode(hash_value.strip().replace(
+            "{SHA}", "").encode("ascii"))
        password = password.encode(self.configuration.get("encoding", "stock"))
        sha1 = hashlib.sha1()
        sha1.update(password)
-        return hmac.compare_digest(sha1.digest(), base64.b64decode(hash_value))
+        return hmac.compare_digest(sha1.digest(), hash_value)

    def _ssha(self, hash_value, password):
        """Check if ``hash_value`` and ``password`` match, salted sha1 method.
@ -188,7 +190,7 @@ class Auth(BaseAuth):
        written with e.g. openssl, and nginx can parse it.

        """
-        hash_value = base64.b64decode(hash_value.replace(
+        hash_value = base64.b64decode(hash_value.strip().replace(
            "{SSHA}", "").encode("ascii"))
        password = password.encode(self.configuration.get("encoding", "stock"))
        salt_value = hash_value[20:]
@ -199,9 +201,11 @@ class Auth(BaseAuth):
        return hmac.compare_digest(sha1.digest(), hash_value)

    def _bcrypt(self, bcrypt, hash_value, password):
+        hash_value = hash_value.strip()
        return bcrypt.verify(password, hash_value)

    def _md5apr1(self, md5_apr1, hash_value, password):
+        hash_value = hash_value.strip()
        return md5_apr1.verify(password, hash_value)

    def is_authenticated(self, user, password):
@ -209,12 +213,12 @@ class Auth(BaseAuth):
        # very cheap operation, and it's useful to get live updates of the
        # htpasswd file.
        try:
-            with open(self.filename) as fd:
-                for line in fd:
-                    line = line.strip()
-                    if line:
+            with open(self.filename) as f:
+                for line in f:
+                    line = line.rstrip("\n")
+                    if line.lstrip():
                        try:
-                            login, hash_value = line.split(":")
+                            login, hash_value = line.split(":", maxsplit=1)
                            # Always compare both login and password to avoid
                            # timing attacks, see #591.
                            login_ok = hmac.compare_digest(login, user)