mirror of
https://github.com/mjl-/mox.git
synced 2025-07-10 07:14:40 +03:00
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization
an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
This commit is contained in:
@ -11,6 +11,7 @@ import (
|
||||
"time"
|
||||
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
"golang.org/x/text/secure/precis"
|
||||
|
||||
"github.com/mjl-/mox/mlog"
|
||||
"github.com/mjl-/mox/mox-"
|
||||
@ -48,6 +49,11 @@ func (a *adminSessionAuth) login(ctx context.Context, log mlog.Log, username, pa
|
||||
return false, "", fmt.Errorf("reading password file: %v", err)
|
||||
}
|
||||
passwordhash := strings.TrimSpace(string(buf))
|
||||
// Transform with precis, if valid. ../rfc/8265:679
|
||||
pw, err := precis.OpaqueString.String(password)
|
||||
if err == nil {
|
||||
password = pw
|
||||
}
|
||||
if err := bcrypt.CompareHashAndPassword([]byte(passwordhash), []byte(password)); err != nil {
|
||||
return false, "", nil
|
||||
}
|
||||
|
Reference in New Issue
Block a user