Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passwords with quotes breaks the JSON #79

Closed
fflorent opened this issue Mar 13, 2022 · 4 comments · Fixed by #94
Closed

Passwords with quotes breaks the JSON #79

fflorent opened this issue Mar 13, 2022 · 4 comments · Fixed by #94

Comments

@fflorent
Copy link

Describe the bug

When installing the application, if the password contains quotes, it breaks the configuration json file (/home/yunohost.app/galene/groups/GROUP.json)

  • Install Galene using a password containing quotes (like 1"2"3"4"5)
  • After the installation, you should not be able to join the group filled during the installation
  • Also you should get a broken JSON in /home/yunohost.app/galene/groups/GROUP.json due to the quotes not being escaped

Logs

mars 13 21:31:51 domain.tld systemd[1]: Started Galène: videoconferencing server.
mars 13 21:31:51 domain.tld galene[23076]: 2022/03/13 21:31:51 Starting built-in TURN server on XX.XX.XX.XX:1195
mars 13 21:31:51 domain.tld galene[23076]: 2022/03/13 21:31:51 data/config.json: invalid character '<character here>' after object key:value pair
mars 13 21:31:51 domain.tld galene[23076]: 2022/03/13 21:31:51 Group file /home/yunohost.app/galene/groups/skeptikon.json: invalid character '<character here>' after object key:value pair
mars 13 21:31:51 domain.tld galene[23076]: 2022/03/13 21:31:51 Relay test successful in 30.98294ms, RTT = 264.613µs
mars 13 21:37:22 domain.tld galene[23076]: 2022/03/13 21:37:22 group.Add: invalid character '<character here>' after object key:value pair

Thanks for your work! 🙏
@fflorent
Copy link
Author

fflorent commented Mar 13, 2022
edited
Loading

BTW, Galene supports the hash of the passwords: https://github.com/jech/galene/blob/e673cf1225e4eeefd8c8f658c00675c7fbe53868/README#L178-L193

Couldn't we fix this issue by hashing it?

@jech
Copy link

jech commented Mar 26, 2022
edited
Loading

No need to hash: you just need to escape the quote in the JSON string.

https://datatracker.ietf.org/doc/html/rfc7159#section-7

Any JSON formatting library should do it for you automatically.

@fflorent
Copy link
Author

fflorent commented Mar 26, 2022
edited
Loading

No need to hash: you just need to escape the quote in the JSON string.

https://datatracker.ietf.org/doc/html/rfc7159#section-7

Any JSON formatting library should do it for you automatically.

Still, hashing passwords is a good practice, isn't it?

@jech
Copy link

jech commented Mar 26, 2022

Still, hashing passwords is a good practice, isn't it?

Hashing is certainly a good idea, and I'll be glad to give you a hand with implementing compatible hashing in the Yunohost's interface. However, I understand that Yunohost already has its own authentication system, and you should consider whether it's better to spend time on implementing hashing, or whether it's better to work on integrating Galene into Yunohost's existing authentication system. Please see #64 for more on the latter.

This was referenced Oct 4, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade YunoHost-Apps/galene_ynh
2 participants
@jech @fflorent