From 2edb9522f1ab449d935e9b7f76dc0be1ea1b0fb1 Mon Sep 17 00:00:00 2001 From: Christian Nicolai Date: Fri, 20 Oct 2017 16:20:38 +0000 Subject: [PATCH] auth: fix broken password check Guessing an existing user's name was enough to successfully authenticate. --- lib/dyndnsd.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/dyndnsd.rb b/lib/dyndnsd.rb index 199b52a..c228f82 100644 --- a/lib/dyndnsd.rb +++ b/lib/dyndnsd.rb @@ -201,7 +201,7 @@ module Dyndnsd # configure rack app = Daemon.new(config, db, updater, responder) app = Rack::Auth::Basic.new(app, "DynDNS") do |user,pass| - allow = (config['users'].has_key? user) and (config['users'][user]['password'] == pass) + allow = ((config['users'].has_key? user) and (config['users'][user]['password'] == pass)) if not allow Dyndnsd.logger.warn "Login failed for #{user}" Metriks.meter('requests.auth_failed').mark