diff options
author | Erik Johnston <erikj@jki.re> | 2016-07-06 14:08:51 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-07-06 14:08:51 +0100 |
commit | f0c06ac65cc851dd138d9fb5d4e14b0485e91bbc (patch) | |
tree | 3f4192bb0e5707afe3711e7065f399daec04a535 /synapse/rest | |
parent | Merge pull request #910 from KentShikama/hash_password_followup (diff) | |
parent | Check that there are no null bytes in user and passsword (diff) | |
download | synapse-f0c06ac65cc851dd138d9fb5d4e14b0485e91bbc.tar.xz |
Merge pull request #909 from matrix-org/erikj/shared_secret
Add an admin option to shared secret registration (breaks backwards compat)
Diffstat (limited to 'synapse/rest')
-rw-r--r-- | synapse/rest/client/v1/register.py | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/synapse/rest/client/v1/register.py b/synapse/rest/client/v1/register.py index d791d5e07e..ce7099b18f 100644 --- a/synapse/rest/client/v1/register.py +++ b/synapse/rest/client/v1/register.py @@ -324,6 +324,14 @@ class RegisterRestServlet(ClientV1RestServlet): raise SynapseError(400, "Shared secret registration is not enabled") user = register_json["user"].encode("utf-8") + password = register_json["password"].encode("utf-8") + admin = register_json.get("admin", None) + + # Its important to check as we use null bytes as HMAC field separators + if "\x00" in user: + raise SynapseError(400, "Invalid user") + if "\x00" in password: + raise SynapseError(400, "Invalid password") # str() because otherwise hmac complains that 'unicode' does not # have the buffer interface @@ -331,17 +339,21 @@ class RegisterRestServlet(ClientV1RestServlet): want_mac = hmac.new( key=self.hs.config.registration_shared_secret, - msg=user, digestmod=sha1, - ).hexdigest() - - password = register_json["password"].encode("utf-8") + ) + want_mac.update(user) + want_mac.update("\x00") + want_mac.update(password) + want_mac.update("\x00") + want_mac.update("admin" if admin else "notadmin") + want_mac = want_mac.hexdigest() if compare_digest(want_mac, got_mac): handler = self.handlers.registration_handler user_id, token = yield handler.register( localpart=user, password=password, + admin=bool(admin), ) self._remove_session(session) defer.returnValue({ |