complete (insecure) password fetching on registration

2018-05-27 13:00:48 +02:00
parent 083c848347
commit a8903dcf9a
8 changed files with 38 additions and 13 deletions
--- a/public/index.php
+++ b/public/index.php
@@ -57,8 +57,10 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
        if (ctype_alnum($_POST['username']) != true) {
            throw new Exception("USERNAME_NOT_ALNUM");
        }
-        if (isset($config["getPasswordOnRegistration"]) && $config["getPasswordOnRegistration"] &&
-                $_POST["password"] != $_POST["password_confirm"]) {
+        if ($storePassword && (!isset($_POST["password"]) || !isset($_POST["password_confirm"]))) {
+                throw new Exception("PASSWORD_NOT_PROVIDED");
+        }
+        if ($storePassword && $_POST["password"] != $_POST["password_confirm"]) {
            throw new Exception("PASSWORD_NOT_MATCH");
        }
        if (isset($_POST["note"]) && strlen($_POST["note"]) > 50) {
@@ -82,6 +84,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
        }

        $username = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
+        $password = "";
        if ($storePassword && isset($_POST["password"])) {
            $password = filter_var($_POST["password"], FILTER_SANITIZE_STRING);
        }
@@ -89,7 +92,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
        $email = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);

        require_once(__DIR__ . "/../database.php");
-        $res = $mx_db->addRegistration($first_name, $last_name, $username, $note, $email);
+        $res = $mx_db->addRegistration($first_name, $last_name, $username, $password, $note, $email);

        if (!isset($res["verify_token"])) {
            error_log("sth. went wrong. registration did not throw but admin_token not set");
--- a/public/verify_admin.php
+++ b/public/verify_admin.php
@@ -71,11 +71,17 @@ try {
        $mxConn = new MatrixConnection($config["homeserver"], $config["access_token"]);

        $password = NULL;
+        $use_db_password = (isset($config["getPasswordOnRegistration"]) && $config["getPasswordOnRegistration"]);
        switch ($config["operationMode"]) {
            case "synapse":
                // register with registration_shared_secret
-                // generate a password with 10 characters
-                $password = bin2hex(openssl_random_pseudo_bytes(5));
+                if ($use_db_password && isset($user["password"]) && strlen($user["password"]) > 0) {
+                    $password = $user["password"];
+                } else {
+                    $use_db_password = false;
+                    // generate a password with 10 characters
+                    $password = bin2hex(openssl_random_pseudo_bytes(5));
+                }
                $res = $mxConn->register($username, $password, $config["registration_shared_secret"]);
                if (!$res) {
                    // something went wrong while registering
@@ -84,6 +90,7 @@ try {
                break;
            case "local":
                // register by adding a user to the local database
+                $use_db_password = false; // requires restructure to use db-provided pw
                $password = $mx_db->addUser($first_name, $last_name, $username, $email);
                break;
            default:
@@ -92,7 +99,13 @@ try {
        if ($password != NULL) {
            // send registration_success
            $res = send_mail_registration_success(
-                    $config["homeserver"], $first_name . " " . $last_name, $email, $username, $password, $config["howToURL"]
+                    $config["homeserver"],
+                    $first_name . " " . $last_name,
+                    $email,
+                    $username,
+                    // only send password when auto-created
+                    ($use_db_password ? NULL : $password),
+                    $config["howToURL"]
            );
            if ($res) {
                $mx_db->setRegistrationStateAdmin(RegisterState::AllDone, $token);