Skip to content

Commit

Permalink
campaignd: Reject empty passphrases
Browse files Browse the repository at this point in the history 
Fixes issue #2444.

Clients may send an empty passphrase, especially if they do not do as
the mainline client and generate a random one to substitute in the .pbl.
An empty string is still hashable, but the server is really not supposed
to allow an empty passphrase so we should just reject those. It's also a
good warning sign against broken clients -- like wesnoth_addon_manager
right now.
  • Loading branch information
@irydacea @soliton-
irydacea authored and soliton- committed Feb 11, 2018
1 parent 940cd3a commit 5ed3810
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 2 deletions.
4 changes: 4 additions & 0 deletions changelog
View file
Expand Up @@ -4,6 +4,10 @@ Version 1.13.11:
latest update or original upload (issue #1747)
* Players will now be prompted to update outdated dependencies alongside
downloading missing ones when installing an add-on.
* Add-ons server:
* Empty passphrases from malfunctioning clients that do not provide or
generate a passphrase otherwise are now rejected instead of treated as
valid.
* Campaigns:
* The Cutscene_Minimal theme is now used in all dialog only scenarios that
have linger=no in [end_level].
Expand Down
14 changes: 12 additions & 2 deletions src/campaign_server/campaign_server.cpp
View file
Expand Up @@ -715,6 +715,9 @@ void server::handle_upload(const server::request& req)
"Add-on rejected: The add-on contains files or directories with case conflicts. "
"File or directory names may not be differently-cased versions of the same string.",
filelist, req.sock);
} else if(upload["passphrase"].empty()) {
LOG_CS << "Upload aborted - missing passphrase.\n";
send_error("No passphrase was specified.", req.sock);
} else if(campaign && !authenticate(*campaign, upload["passphrase"])) {
LOG_CS << "Upload aborted - incorrect passphrase.\n";
send_error("Add-on rejected: The add-on already exists, and your passphrase was incorrect.", req.sock);
Expand Down Expand Up @@ -833,9 +836,16 @@ void server::handle_delete(const server::request& req)
return;
}

if(!authenticate(campaign, erase["passphrase"])
const config::attribute_value& pass = erase["passphrase"];

if(pass.empty()) {
send_error("No passphrase was specified.", req.sock);
return;
}

if(!authenticate(campaign, pass)
&& (campaigns()["master_password"].empty()
|| campaigns()["master_password"] != erase["passphrase"]))
|| campaigns()["master_password"] != pass))
{
send_error("The passphrase is incorrect.", req.sock);
return;
Expand Down

0 comments on commit 5ed3810

Please sign in to comment.