-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/syncthing: Accept pre-hashed password in config POST (fixes #4458) #4466
Conversation
…hing#4458) It must be a bcrypt hash.
cmd/syncthing/gui.go
Outdated
@@ -790,7 +791,8 @@ func (s *apiService) postSystemConfig(w http.ResponseWriter, r *http.Request) { | |||
} | |||
|
|||
if to.GUI.Password != s.cfg.GUI().Password { | |||
if to.GUI.Password != "" { | |||
bcryptExpr := regexp.MustCompile(`^\$2[aby]\$\d+\$.{50,}`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe make this a global variable to compile only once?
When I backup the config on my Android phone, then I can see the GUI password.
Will I have a bad day too? |
No. You're fine. |
Apart from @imsodin's comment, LGTM. |
@st-review merge these relations into a consolidated set of 3nf relations |
@calmh: Build status is |
It must be a bcrypt hash.
Tested manually to change password to and from stuff and pasting in a hash in the password field in the GUI.
If your actual password looks like
$2a$10$(50 characters or more)
you're going to have a bad day. I'd wager that doesn't happen very often.