From caeadf1397db00c6b7ba218b1910508099802e39 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Alfonso=20Mart=C3=ADnez?= Date: Tue, 9 Feb 2021 11:17:52 +0100 Subject: [PATCH] mgr/dashboard: delete EOF when reading passwords from file MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Alfonso Martínez --- .../mgr/dashboard/tests/test_access_control.py | 12 ++++++++++++ src/pybind/mgr/mgr_module.py | 6 ++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/src/pybind/mgr/dashboard/tests/test_access_control.py b/src/pybind/mgr/dashboard/tests/test_access_control.py index ba0db6b159015..622880d8369d3 100644 --- a/src/pybind/mgr/dashboard/tests/test_access_control.py +++ b/src/pybind/mgr/dashboard/tests/test_access_control.py @@ -581,6 +581,18 @@ class AccessControlTest(unittest.TestCase, CLICommandTestMixin): 'admin@user.com') self.assertGreaterEqual(user['lastUpdate'], user_orig['lastUpdate']) + def test_sanitize_password(self): + self.test_create_user() + password = 'myPass\\n\\r\\n' + with open('/tmp/test_sanitize_password.txt', 'w+') as pwd_file: + # Add new line separators (like some text editors when a file is saved). + pwd_file.write('{}{}'.format(password, '\n\r\n\n')) + pwd_file.seek(0) + user = self.exec_cmd('ac-user-set-password', username='admin', + inbuf=pwd_file.read(), force_password=True) + pass_hash = password_hash(password, user['password']) + self.assertEqual(user['password'], pass_hash) + def test_set_user_password_nonexistent_user(self): with self.assertRaises(CmdException) as ctx: self.exec_cmd('ac-user-set-password', username='admin', diff --git a/src/pybind/mgr/mgr_module.py b/src/pybind/mgr/mgr_module.py index 37acf88e3a60a..8d52243f50351 100644 --- a/src/pybind/mgr/mgr_module.py +++ b/src/pybind/mgr/mgr_module.py @@ -414,8 +414,10 @@ def CLICheckNonemptyFileInput(func: HandlerFuncType) -> HandlerFuncType: def check(*args: Any, **kwargs: Any) -> Tuple[int, str, str]: if 'inbuf' not in kwargs: return -errno.EINVAL, '', ERROR_MSG_NO_INPUT_FILE - if not kwargs['inbuf'] or (isinstance(kwargs['inbuf'], str) - and not kwargs['inbuf'].strip('\n')): + if isinstance(kwargs['inbuf'], str): + # Delete new line separator at EOF (it may have been added by a text editor). + kwargs['inbuf'] = kwargs['inbuf'].rstrip('\r\n').rstrip('\n') + if not kwargs['inbuf']: return -errno.EINVAL, '', ERROR_MSG_EMPTY_INPUT_FILE return func(*args, **kwargs) check.__signature__ = inspect.signature(func) # type: ignore[attr-defined] -- 2.39.5