| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
libweb has introduced several breaking changes:
- Add optional expiration date to http_cookie_create
- Replace Makefile with configure script
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SHA256-based password hashing algorithm used by slcl(1) and
usergen(1) is considered insecure against several kinds of attacks,
including brute force attacks. [1]
Therefore, a stronger password hashing algorithm based on the Argon2id
key derivation function is now used by default. While OpenSSL does
support Argon2id, it is only supported by very recent versions [2],
which are still not packaged by most distributions as of the time of
this writing. [3]
As an alternative to OpenSSL, libsodium [4] had several benefits:
- It provides easy-to-use functions for password hashing, base64
encoding/decoding and other cryptographic primitives used by slcl(1)
and usergen(1).
- It is packaged by most distributions [5], and most often only the patch
version differs, which ensures good compatibility across distributions.
Unfortunately, and as opposed to OpenSSL, libsodium does not come with
command-line tools. Therefore, usergen(1) had to be rewritten in C.
In order to maintain backwards compatiblity with existing databases,
slcl(1) and usergen(1) shall support the insecure, SHA256-based password
hashing algorithm. However, Argon2id shall now be the default choice for
usergen(1).
[1]: https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords
[2]: https://docs.openssl.org/3.3/man7/EVP_KDF-ARGON2/
[3]: https://repology.org/project/openssl/versions
[4]: https://www.libsodium.org/
[5]: https://repology.org/project/libsodium/versions
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
So far, auth_login was looking for a key that matched the expected HMAC,
among all registered users, and therefore without looking up the
username from the cookie key.
This allowed attackers to forge a cookie with a valid key but another
username, and therefore see the contents from other users.
|
| |
|
|
|
| |
crealpath already provides a mechanism to determine the current working
directory from getcwd(3).
|
| |
|
|
|
|
| |
Even if this specific use of sprintf(3) was safe because sizeof
sha256_str > (sizeof sha256 * 2), some implementations would consider
sprintf(3) unsafe anyway.
|
| |
|
|
|
|
| |
It makes no sense to attempt to fopen(3) an empty file and malloc(3)
zero bytes so as to dump it, as dump_db is still meant to fail on empty
files.
|
| |
|
|
|
|
|
|
| |
For platforms where int is a 16-bit data type, this operation might
overflow and possibly cause either unexpected behaviour and/or a
compiler warning.
Therefore, it is safer to promote each integer constant accordingly.
|
| | |
|
| |
|
|
|
| |
As opposed to other integer constants such as ULLONG_MAX, SIZE_MAX is
defined by stdint.h, not limits.h.
|
| |
|
|
|
| |
slweb puts its header files into its own directory in order to avoid
potential name clashing.
|
| |
|
|
| |
Otherwise, sb.st_size + 1 would exceed SIZE_MAX.
|
| |
|
|
|
| |
Otherwise, slcl would create broken symbolic links if the user passes a
relative path as command line argument.
|
| | |
|
| |
|
|
|
|
|
| |
- Error detection against strotul(3) has been improved, as done in other
places.
- New function encode_hex has been implemented, which will be used
by future commits.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This feature allows admins to set a specific quota for each user, in
MiB. This feature is particularly useful for shared instances, where
unlimited user storage might be unfeasible or even dangerous for the
server.
Also, a nice HTML5 <progress> element has been added to the site that
shows how much of the quota has been consumed.
If no quota is set, slcl falls back to the default behaviour i.e.,
assume unlimited storage.
Limitations:
- While HTTP does specify a Content-Length, which determines the length
of the whole request, it does not specify how many files are involved
or their individual sizes.
- Because of this, if multiple files are uploaded simultaneously, the
whole request would be dropped if user quota is exceeded, even if not
all files exceeded it.
- Also, Content-Length adds the length of some HTTP boilerplate
(e.g.: boundaries), but slcl must rely on this before accepting the
whole request. In other words, this means some requests might be
rejected by slcl because of the extra bytes caused by such boilerplate.
- When the quota is exceeded, slcl must close the connection so that
the rest of the transfer is cancelled. Unfortunately, this means no
HTML can be sent back to the customer to inform about the situation.
|
| |
|
