github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-14 10:37:42 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Hardening password checks

Browse source
This commit is contained in:
Serghey Rodin 2018-04-08 21:50:32 +03:00
commit 3fdee2975d
4 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
web/api/index.php
View file

@ -18,13 +18,15 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".escapeshellarg($v_password)." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password);
/* No hash auth for security reason
} else {
$key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']);
if (file_exists($key) && is_file($key)) {
$auth_code = '0';
}
*/
}
if ($auth_code != 0 ) {