summary refs log tree commit diff
path: root/synapse/rest
diff options
context:
space:
mode:
authorErik Johnston <erik@matrix.org>2016-07-05 17:18:19 +0100
committerErik Johnston <erik@matrix.org>2016-07-05 17:18:19 +0100
commitcaf33b2d9be1b992098a00ee61cf4b4009ee3a09 (patch)
tree4f72f239e27c548ff704b4f120cf629192e4b70f /synapse/rest
parentMerge pull request #904 from matrix-org/dbkr/register_email_no_untrusted_id_s... (diff)
downloadsynapse-caf33b2d9be1b992098a00ee61cf4b4009ee3a09.tar.xz
Protect password when registering using shared secret
Diffstat (limited to 'synapse/rest')
-rw-r--r--synapse/rest/client/v1/register.py11
1 files changed, 7 insertions, 4 deletions
diff --git a/synapse/rest/client/v1/register.py b/synapse/rest/client/v1/register.py
index d791d5e07e..0eb7490e5d 100644
--- a/synapse/rest/client/v1/register.py
+++ b/synapse/rest/client/v1/register.py
@@ -324,6 +324,8 @@ class RegisterRestServlet(ClientV1RestServlet):
             raise SynapseError(400, "Shared secret registration is not enabled")
 
         user = register_json["user"].encode("utf-8")
+        password = register_json["password"].encode("utf-8")
+        admin = register_json.get("admin", None)
 
         # str() because otherwise hmac complains that 'unicode' does not
         # have the buffer interface
@@ -331,11 +333,12 @@ class RegisterRestServlet(ClientV1RestServlet):
 
         want_mac = hmac.new(
             key=self.hs.config.registration_shared_secret,
-            msg=user,
             digestmod=sha1,
-        ).hexdigest()
-
-        password = register_json["password"].encode("utf-8")
+        )
+        want_mac.update(user)
+        want_mac.update(password)
+        want_mac.update("admin" if admin else "notadmin")
+        want_mac = want_mac.hexdigest()
 
         if compare_digest(want_mac, got_mac):
             handler = self.handlers.registration_handler