From 033647c8ac52378b8603ab456027f6929faa1d6e Mon Sep 17 00:00:00 2001 From: Daiyuu Nobori Date: Mon, 6 Apr 2020 00:44:14 +0900 Subject: [PATCH] Fix security issue: Fix the security of JSON-API. If the administrator password of the Virtual Hub is empty, JSON-API (which was added in 4.30 Build 9696 Beta) will not be able to access to the virtual hub with a empty password since this release. Because there are relatively many cases in which administrator password is empty for a virtual hub, being able to manage a virtual hub without a password using JSON-API was a security problem. In this release, this behavior has been changed so that JSON-API cannot be accessed in the Virtual Hub management mode until it is configured with non-empty password. --- src/Cedar/Admin.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/Cedar/Admin.c b/src/Cedar/Admin.c index 8e88ed3c..d1ba7ecc 100644 --- a/src/Cedar/Admin.c +++ b/src/Cedar/Admin.c @@ -1018,11 +1018,14 @@ ADMIN *JsonRpcAuthLogin(CEDAR *c, SOCK *sock, HTTP_HEADER *h) { Lock(h->lock); { - if (Cmp(pw_hash, h->HashedPassword, SHA1_SIZE) == 0) + if (Cmp(h->HashedPassword, empty_pw_hash, SHA1_SIZE) != 0 && IsZero(h->HashedPassword, sizeof(h->HashedPassword)) == false) { - is_hub_admin = true; + if (Cmp(pw_hash, h->HashedPassword, SHA1_SIZE) == 0) + { + is_hub_admin = true; - StrCpy(hub_name, sizeof(hub_name), h->Name); + StrCpy(hub_name, sizeof(hub_name), h->Name); + } } } Unlock(h->lock);