indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Check for system account logins via c2s

merge-requests/8/head
Bob Mottram 2020-11-23 09:51:26 +00:00
parent fdc05e987a
commit 99abc1f1f4
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
auth.py
View File

@ -11,6 +11,7 @@ import hashlib
import binascii import binascii
import os import os
import secrets import secrets
from utils import isSystemAccount
def hashPassword(password: str) -> str: def hashPassword(password: str) -> str:
@ -85,7 +86,7 @@ def authorizeBasic(baseDir: str, path: str, authHeader: str,
""" """
if ' ' not in authHeader: if ' ' not in authHeader:
if debug: if debug:
print('DEBUG: Authorixation header does not ' + print('DEBUG: basic auth - Authorixation header does not ' +
'contain a space character') 'contain a space character')
return False return False
if '/users/' not in path and \ if '/users/' not in path and \
@ -93,23 +94,32 @@ def authorizeBasic(baseDir: str, path: str, authHeader: str,
'/channel/' not in path and \ '/channel/' not in path and \
'/profile/' not in path: '/profile/' not in path:
if debug: if debug:
print('DEBUG: Path for Authorization does not contain a user') print('DEBUG: basic auth - ' +
'path for Authorization does not contain a user')
return False return False
pathUsersSection = path.split('/users/')[1] pathUsersSection = path.split('/users/')[1]
if '/' not in pathUsersSection: if '/' not in pathUsersSection:
if debug: if debug:
print('DEBUG: This is not a users endpoint') print('DEBUG: basic auth - this is not a users endpoint')
return False return False
nicknameFromPath = pathUsersSection.split('/')[0] nicknameFromPath = pathUsersSection.split('/')[0]
if isSystemAccount(nicknameFromPath):
print('basic auth - attempted login using system account ' +
nicknameFromPath + ' in path')
return False
base64Str = \ base64Str = \
authHeader.split(' ')[1].replace('\n', '').replace('\r', '') authHeader.split(' ')[1].replace('\n', '').replace('\r', '')
plain = base64.b64decode(base64Str).decode('utf-8') plain = base64.b64decode(base64Str).decode('utf-8')
if ':' not in plain: if ':' not in plain:
if debug: if debug:
print('DEBUG: Basic Auth header does not contain a ":" ' + print('DEBUG: basic Auth header does not contain a ":" ' +
'separator for username:password') 'separator for username:password')
return False return False
nickname = plain.split(':')[0] nickname = plain.split(':')[0]
if isSystemAccount(nickname):
print('basic auth - attempted login using system account ' + nickname +
' in Auth header')
return False
if nickname != nicknameFromPath: if nickname != nicknameFromPath:
if debug: if debug:
print('DEBUG: Nickname given in the path (' + nicknameFromPath + print('DEBUG: Nickname given in the path (' + nicknameFromPath +