Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypted repo: Password length not enforced on server side #1033

Open
egroeper opened this issue Feb 25, 2016 · 0 comments
Open

Encrypted repo: Password length not enforced on server side #1033

egroeper opened this issue Feb 25, 2016 · 0 comments
Labels
bug

Comments

@egroeper
Copy link
Contributor

REPO_PASSWORD_MIN_LENGTH is not enforced on server side, but only checked by JS code.
That way you can easily bypass the check by sending a HTTP request directly.

We found this, when we investigated another bug, that was reported to us:
If you select the "encrypt" checkbox and choose a weak password, you get a warning message about the password length. If you then uncheck the "encrypt" checkbox and hit "Submit" the library gets created with the weak password.

Steps to reproduce weak password library creation:

  • "New library"
  • enter name, select "encrypt", enter weak password (i.e. "test")
  • hit "Submit"
  • uncheck "encrypt" checkbox
  • hit "Submit" again

In my opinion the correct solution for this is to enforce the password length on the server side, too!
And you should only care about the entered passwords, if the encryption checkbox is checked.
@freeplant freeplant added the bug label Mar 15, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@freeplant @egroeper