RHEL-67571 password is ignored when set in web ui

Resolves: RHEL-67571
2024-11-14 13:17:07 +01:00 · 2024-11-14 13:17:07 +01:00 · 01a8912e01
commit 01a8912e01
parent b8d03d768c
2 changed files with 158 additions and 1 deletions
--- a/0001-Fix-password-hash-comparisons-Issue-373.patch
+++ b/0001-Fix-password-hash-comparisons-Issue-373.patch
@ -0,0 +1,151 @@
+From f4d0039a1f5c62a3b998dc26f90a8f5568749a16 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Wed, 13 Nov 2024 14:29:24 -0500
+Subject: [PATCH] Fix password hash comparisons (Issue #373)
+
+---
+ CHANGES.md               |  1 +
+ pappl/client-webif.c     | 33 ++++++++++++++++++++++++++++++---
+ pappl/system-accessors.c |  2 +-
+ 3 files changed, 32 insertions(+), 4 deletions(-)
+
+diff --git a/pappl/client-webif.c b/pappl/client-webif.c
+index 8ae7d25..48714be 100644
+--- a/pappl/client-webif.c
+++ b/pappl/client-webif.c
+@@ -1,7 +1,7 @@
+ //
+ // Core client web interface functions for the Printer Application Framework
+ //
+-// Copyright © 2019-2023 by Michael R Sweet.
+// Copyright © 2019-2024 by Michael R Sweet.
+ // Copyright © 2010-2019 by Apple Inc.
+ //
+ // Licensed under Apache License v2.0.  See the file "LICENSE" for more
+@@ -451,34 +451,49 @@ papplClientHTMLAuthorize(
+ 
+   // Don't authorize if we have no auth service or we don't have a password set.
+   if (!client || (!client->system->auth_service && !client->system->auth_cb && !client->system->password_hash[0]))
+  {
+    _PAPPL_DEBUG("papplClientHTMLAuthorize: auth_service='%s', auth_cb=%s, password_hash=%s\n", client->system->auth_service, client->system->auth_cb != NULL ? "set" : "unset", client->system->password_hash[0] ? "set" : "unset");
+    _PAPPL_DEBUG("papplClientHTMLAuthorize: Returning true.");
+     return (true);
+  }
+ 
+   // When using an auth service, use HTTP Basic authentication...
+   if (client->system->auth_service || client->system->auth_cb)
+   {
+     http_status_t code = papplClientIsAuthorized(client);
+					// Authorization status code
+
+    _PAPPL_DEBUG("papplClientHTMLAuthorize: code=%d.\n", code);
+ 
+     if (code != HTTP_STATUS_CONTINUE)
+     {
+      _PAPPL_DEBUG("papplClientHTMLAuthorize: Returning false.\n");
+       papplClientRespond(client, code, NULL, NULL, 0, 0);
+       return (false);
+     }
+     else
+    {
+      _PAPPL_DEBUG("papplClientHTMLAuthorize: Returning true.\n");
+       return (true);
+    }
+   }
+ 
+   // Otherwise look for the authorization cookie...
+   if (papplClientGetCookie(client, "auth", auth_cookie, sizeof(auth_cookie)))
+   {
+    _PAPPL_DEBUG("papplClientHTMLAuthorize: Got auth cookie '%s'.\n", auth_cookie);
+     snprintf(auth_text, sizeof(auth_text), "%s:%s", papplSystemGetSessionKey(client->system, session_key, sizeof(session_key)), papplSystemGetPassword(client->system, password_hash, sizeof(password_hash)));
+     cupsHashData("sha2-256", (unsigned char *)auth_text, strlen(auth_text), auth_hash, sizeof(auth_hash));
+     cupsHashString(auth_hash, sizeof(auth_hash), auth_text, sizeof(auth_text));
+ 
+    _PAPPL_DEBUG("papplClientHTMLAuthorize: Expect auth cookie '%s'.\n", auth_text);
+
+     if (_papplIsEqual(auth_cookie, auth_text))
+     {
+       // Hashes match so we are authorized.  Use "web-admin" as the username.
+       papplCopyString(client->username, "web-admin", sizeof(client->username));
+ 
+      _PAPPL_DEBUG("papplClientHTMLAuthorize: Returning true.\n");
+       return (true);
+     }
+   }
+@@ -491,6 +506,8 @@ papplClientHTMLAuthorize(
+     cups_option_t	*form = NULL;	// Form variables
+     const char		*password;	// Password from user
+ 
+    _PAPPL_DEBUG("papplClientHTMLAuthorize: POST.\n");
+
+     if ((num_form = (cups_len_t)papplClientGetForm(client, &form)) == 0)
+     {
+       status = "Invalid form data.";
+@@ -509,7 +526,10 @@ papplClientHTMLAuthorize(
+       papplSystemGetPassword(client->system, password_hash, sizeof(password_hash));
+       papplSystemHashPassword(client->system, password_hash, password, auth_text, sizeof(auth_text));
+ 
+-      if (!strncmp(password_hash, auth_text, strlen(password_hash)))
+      _PAPPL_DEBUG("papplClientHTMLAuthorize: Saved password_hash is '%s'.\n", password_hash);
+      _PAPPL_DEBUG("papplClientHTMLAuthorize: Hashed form password is '%s'.\n", auth_text);
+
+      if (_papplIsEqual(password_hash, auth_text))
+       {
+         // Password hashes match, generate the cookie from the session key and
+         // password hash...
+@@ -518,7 +538,8 @@ papplClientHTMLAuthorize(
+ 	cupsHashData("sha2-256", (unsigned char *)auth_text, strlen(auth_text), auth_hash, sizeof(auth_hash));
+ 	cupsHashString(auth_hash, sizeof(auth_hash), auth_text, sizeof(auth_text));
+ 
+-        papplClientSetCookie(client, "auth", auth_text, 3600);
+	papplClientSetCookie(client, "auth", auth_text, 3600);
+        _PAPPL_DEBUG("papplClientHTMLAuthorize: Setting 'auth' cookie to '%s'.\n", auth_text);
+       }
+       else
+       {
+@@ -531,16 +552,21 @@ papplClientHTMLAuthorize(
+     // Make the caller think this is a GET request...
+     client->operation = HTTP_STATE_GET;
+ 
+    _PAPPL_DEBUG("papplClientHTMLAuthorize: Status message is '%s'.\n", status);
+
+     if (!status)
+     {
+       // Hashes match so we are authorized.  Use "web-admin" as the username.
+       papplCopyString(client->username, "web-admin", sizeof(client->username));
+ 
+      _PAPPL_DEBUG("papplClientHTMLAuthorize: Returning true.\n");
+       return (true);
+     }
+   }
+ 
+   // If we get this far, show the standard login form...
+  _PAPPL_DEBUG("papplClientHTMLAuthorize: Showing login form.\n");
+
+   papplClientRespond(client, HTTP_STATUS_OK, NULL, "text/html", 0, 0);
+   papplClientHTMLHeader(client, "Login", 0);
+   papplClientHTMLPuts(client,
+@@ -560,6 +586,7 @@ papplClientHTMLAuthorize(
+                       "      </div>\n");
+   papplClientHTMLFooter(client);
+ 
+  _PAPPL_DEBUG("papplClientHTMLAuthorize: Returning false.\n");
+   return (false);
+ }
+ 
+diff --git a/pappl/system-accessors.c b/pappl/system-accessors.c
+index ed52aa6..bcde6aa 100644
+--- a/pappl/system-accessors.c
+++ b/pappl/system-accessors.c
+@@ -1289,7 +1289,7 @@ papplSystemHashPassword(
+     {
+       // Copy existing nonce from the salt string...
+       papplCopyString(nonce, salt, sizeof(nonce));
+-      if ((ptr = strchr(nonce, ':')) != NULL)
+      if ((ptr = strchr(nonce, '~')) != NULL)
+         *ptr = '\0';
+     }
+     else
+-- 
+2.47.0
+
--- a/pappl.spec
+++ b/pappl.spec
@ -10,7 +10,7 @@
 Summary: Printer Application Framework (PAPPL)
 Name: pappl
 Version: 1.4.6
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: Apache-2.0 WITH LLVM-exception
 Source: https://github.com/michaelrsweet/pappl/releases/download/v%{version}/pappl-%{version}.tar.gz
 Url: https://www.msweet.org/pappl
@ -23,6 +23,9 @@ Patch002: 0001-Fix-port-number-user-input-when-adding-a-printer-Iss.patch
 # raise MAX_VENDOR https://sourceforge.net/p/gimp-print/mailman/gimp-print-devel/thread/e24b2385-6576-a949-a40d-3786c8067520%40gmail.com/#msg37353830
 # downstream only, Mike does not want to merge the change
 Patch003: pappl-max-vendors.patch
+# RHEL-67571 password is ignored when set in web ui
+# https://github.com/michaelrsweet/pappl/commit/f4d0039a
+Patch007: 0001-Fix-password-hash-comparisons-Issue-373.patch


 BuildRequires: avahi-devel
@ -112,6 +115,9 @@ make test
 %{_mandir}/man3/pappl-system.3.gz

 %changelog
+* Thu Nov 14 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1.4.6-5
+- RHEL-67571 password is ignored when set in web ui
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.4.6-4
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018