diff options
| author | sunnavy <sunnavy@bestpractical.com> | 2021-09-15 00:09:27 +0300 |
|---|---|---|
| committer | sunnavy <sunnavy@bestpractical.com> | 2021-09-15 00:09:27 +0300 |
| commit | 99bf2435eb7935043ae71b3560099e930250d6e2 (patch) | |
| tree | f05e5db9cde2d4d39a6b1377bc85d36d09b69c04 | |
| parent | ebc95f4c74f5f1d27dc6b051f9b23fedc0baa8d7 (diff) | |
| parent | 8d461472f0e236fefcd29373f2f284de51a51e54 (diff) | |
Merge branch '4.4-trunk' into 5.0-trunk
| -rw-r--r-- | lib/RT/Handle.pm | 2 | ||||
| -rw-r--r-- | lib/RT/Interface/Web.pm | 8 | ||||
| -rw-r--r-- | lib/RT/User.pm | 9 |
3 files changed, 16 insertions, 3 deletions
diff --git a/lib/RT/Handle.pm b/lib/RT/Handle.pm index 4b36c123b1..3f741fa7ff 100644 --- a/lib/RT/Handle.pm +++ b/lib/RT/Handle.pm @@ -863,6 +863,8 @@ sub InsertData { local $@; + # Get the full path since . is no longer in @INC after perl 5.24 + $datafile = Cwd::abs_path($datafile); $RT::Logger->debug("Going to load '$datafile' data file"); my $datafile_content = do { diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm index 859ceacd40..9e18df4afa 100644 --- a/lib/RT/Interface/Web.pm +++ b/lib/RT/Interface/Web.pm @@ -842,10 +842,18 @@ sub AttemptPasswordAuthentication { my $user_obj = RT::CurrentUser->new(); $user_obj->Load( $ARGS->{user} ); + # Load the RT system user as well to avoid timing side channel + my $system_user = RT::CurrentUser->new(); + $system_user->Load(1); # User with ID 1 should always exist! + my $m = $HTML::Mason::Commands::m; my $remote_addr = RequestENV('REMOTE_ADDR'); unless ( $user_obj->id && $user_obj->IsPassword( $ARGS->{pass} ) ) { + if (!$user_obj->id) { + # Avoid timing side channel... always run IsPassword + $system_user->IsPassword( $ARGS->{pass} ); + } $RT::Logger->error("FAILED LOGIN for @{[$ARGS->{user}]} from $remote_addr"); $m->callback( %$ARGS, CallbackName => 'FailedLogin', CallbackPage => '/autohandler' ); return (0, HTML::Mason::Commands::loc('Your username or password is incorrect')); diff --git a/lib/RT/User.pm b/lib/RT/User.pm index a83b00ac6e..5c794cb5cb 100644 --- a/lib/RT/User.pm +++ b/lib/RT/User.pm @@ -1237,15 +1237,18 @@ sub IsPassword { } if ( $self->PrincipalObj->Disabled ) { + # Run the bcrypt generator to avoid timing side-channel attacks + RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64); $RT::Logger->info( "Disabled user " . $self->Name . " tried to log in" ); return (undef); } unless ($self->HasPassword) { - return(undef); - } - + # Run the bcrypt generator to avoid timing side-channel attacks + RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64); + return undef; + } my $stored = $self->__Value('Password'); if ($stored =~ /^!/) { # If it's a new-style (>= RT 4.0) password, it starts with a '!' |