Differences From Artifact [7deafec480]:
- File
tests/test.scm
— part of check-in
[1b5a5d3a6e]
at
2016-10-20 17:53:01
on branch crypt
— Replace external openssl call with "crypt" egg.
The OpenSSL call was using the old UNIX crypt DES password hashing, which is very weak. Crypt will default to a more sensible mechanism (Blowfish, but in the future could transparently switch).
Old passwords will continue to work, because the crypt egg detects DES salts and happily hashes them. When creating new passwords, they will be hashed using the modern algorithm.
The OpenSSL call passed the password to the shell, so an onlooker on the server could see it in plaintext. It also neglected to escape the password for the shell, resulting in a command injection vulnerability. (user: sjamaan, size: 8378) [annotate] [blame] [check-ins using]
To Artifact [5b953a7034]:
- File tests/test.scm — part of check-in [7592869969] at 2016-11-08 06:18:54 on branch crypt — Added escape of \n \r as option to session:apply-type-preference (user: matt, size: 8405) [annotate] [blame] [check-ins using] [more...]
| ︙ | ︙ | |||
10 11 12 13 14 15 16 | ;; PURPOSE. (use test md5) (require-extension sqlite3) (import (prefix sqlite3 sqlite3:)) | | > | 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | ;; PURPOSE. (use test md5) (require-extension sqlite3) (import (prefix sqlite3 sqlite3:)) ;; (require-library dbi) (use (prefix dbi dbi:)) (load "./requirements.scm") (load "./cookie.scm") (load "./misc-stml.scm") (load "./formdat.scm") (load "./stml.scm") (load "./session.scm") |
| ︙ | ︙ |