From 3fdee2975db0c80419a0dfefff3c10a2c4de6410 Mon Sep 17 00:00:00 2001
From: Serghey Rodin <skid@vestacp.com>
Date: Sun, 8 Apr 2018 21:50:32 +0300
Subject: [PATCH] Hardening password checks

---
 bin/v-check-user-password | 2 +-
 func/main.sh              | 2 +-
 web/api/index.php         | 4 +++-
 web/login/index.php       | 2 +-
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/bin/v-check-user-password b/bin/v-check-user-password
index 6d829c3ad..57e59da3f 100755
--- a/bin/v-check-user-password
+++ b/bin/v-check-user-password
@@ -82,7 +82,7 @@ if [ -z "$salt" ]; then
 fi
 
 # Generating hash
-hash=$($BIN/v-generate-password-hash $method $salt <<< $password)
+hash=$($BIN/v-generate-password-hash $method $salt <<< "$password")
 if [[ -z "$hash" ]]; then
     echo "Error: password missmatch"
     echo "$date $time $user $ip failed to login" >> $VESTA/log/auth.log
diff --git a/func/main.sh b/func/main.sh
index cec978884..3b04d250b 100644
--- a/func/main.sh
+++ b/func/main.sh
@@ -273,7 +273,7 @@ is_object_value_exist() {
 is_password_valid() {
     if [[ "$password" =~ ^/tmp/ ]]; then
         if [ -f "$password" ]; then
-            password=$(head -n1 $password)
+            password="$(head -n1 $password)"
         fi
     fi
 }
diff --git a/web/api/index.php b/web/api/index.php
index 97f082594..1ad9d595a 100644
--- a/web/api/index.php
+++ b/web/api/index.php
@@ -18,13 +18,15 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
         fwrite($fp, $_POST['password']."\n");
         fclose($fp);
         $v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
-        exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'",  $output, $auth_code);
+        exec(VESTA_CMD ."v-check-user-password ".$v_user." ".escapeshellarg($v_password)." '".$v_ip_addr."'",  $output, $auth_code);
         unlink($v_password);
+    /* No hash auth for security reason
     } else {
         $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']);
         if (file_exists($key) && is_file($key)) {
             $auth_code = '0';
         }
+    */
     }
 
     if ($auth_code != 0 ) {
diff --git a/web/login/index.php b/web/login/index.php
index 4be64eccb..6e3d5def7 100644
--- a/web/login/index.php
+++ b/web/login/index.php
@@ -44,7 +44,7 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
         fclose($fp);
 
         // Check user & password
-        exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." ".escapeshellarg($_SERVER['REMOTE_ADDR']),  $output, $return_var);
+        exec(VESTA_CMD ."v-check-user-password ".$v_user." ".escapeshellarg($v_password)." ".escapeshellarg($_SERVER['REMOTE_ADDR']),  $output, $return_var);
         unset($output);
 
         // Remove tmp file