diff options
author | Erik Johnston <erik@matrix.org> | 2016-07-05 17:18:19 +0100 |
---|---|---|
committer | Erik Johnston <erik@matrix.org> | 2016-07-05 17:18:19 +0100 |
commit | caf33b2d9be1b992098a00ee61cf4b4009ee3a09 (patch) | |
tree | 4f72f239e27c548ff704b4f120cf629192e4b70f /synapse/rest/client | |
parent | Merge pull request #904 from matrix-org/dbkr/register_email_no_untrusted_id_s... (diff) | |
download | synapse-caf33b2d9be1b992098a00ee61cf4b4009ee3a09.tar.xz |
Protect password when registering using shared secret
Diffstat (limited to 'synapse/rest/client')
-rw-r--r-- | synapse/rest/client/v1/register.py | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/synapse/rest/client/v1/register.py b/synapse/rest/client/v1/register.py index d791d5e07e..0eb7490e5d 100644 --- a/synapse/rest/client/v1/register.py +++ b/synapse/rest/client/v1/register.py @@ -324,6 +324,8 @@ class RegisterRestServlet(ClientV1RestServlet): raise SynapseError(400, "Shared secret registration is not enabled") user = register_json["user"].encode("utf-8") + password = register_json["password"].encode("utf-8") + admin = register_json.get("admin", None) # str() because otherwise hmac complains that 'unicode' does not # have the buffer interface @@ -331,11 +333,12 @@ class RegisterRestServlet(ClientV1RestServlet): want_mac = hmac.new( key=self.hs.config.registration_shared_secret, - msg=user, digestmod=sha1, - ).hexdigest() - - password = register_json["password"].encode("utf-8") + ) + want_mac.update(user) + want_mac.update(password) + want_mac.update("admin" if admin else "notadmin") + want_mac = want_mac.hexdigest() if compare_digest(want_mac, got_mac): handler = self.handlers.registration_handler |