From 1ac378063e37e5b1485438e5321252b42471ba79 Mon Sep 17 00:00:00 2001 From: sfan5 Date: Wed, 27 Apr 2022 19:10:03 +0200 Subject: Apply disallow_empty_password to password changes too --- builtin/settingtypes.txt | 2 +- src/network/serverpackethandler.cpp | 16 +++++++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/builtin/settingtypes.txt b/builtin/settingtypes.txt index 42b45aa00..01bebe4cc 100644 --- a/builtin/settingtypes.txt +++ b/builtin/settingtypes.txt @@ -1123,7 +1123,7 @@ enable_mod_channels (Mod channels) bool false # If this is set, players will always (re)spawn at the given position. static_spawnpoint (Static spawnpoint) string -# If enabled, new players cannot join with an empty password. +# If enabled, players cannot join without a password or change theirs to an empty password. disallow_empty_password (Disallow empty passwords) bool false # If enabled, disable cheat prevention in multiplayer. diff --git a/src/network/serverpackethandler.cpp b/src/network/serverpackethandler.cpp index ee94edc3c..366ec2d28 100644 --- a/src/network/serverpackethandler.cpp +++ b/src/network/serverpackethandler.cpp @@ -1476,6 +1476,9 @@ void Server::handleCommand_FirstSrp(NetworkPacket* pkt) verbosestream << "Server: Got TOSERVER_FIRST_SRP from " << addr_s << ", with is_empty=" << (is_empty == 1) << std::endl; + const bool empty_disallowed = !isSingleplayer() && is_empty == 1 && + g_settings->getBool("disallow_empty_password"); + // Either this packet is sent because the user is new or to change the password if (cstate == CS_HelloSent) { if (!client->isMechAllowed(AUTH_MECHANISM_FIRST_SRP)) { @@ -1486,9 +1489,7 @@ void Server::handleCommand_FirstSrp(NetworkPacket* pkt) return; } - if (!isSingleplayer() && - g_settings->getBool("disallow_empty_password") && - is_empty == 1) { + if (empty_disallowed) { actionstream << "Server: " << playername << " supplied empty password from " << addr_s << std::endl; DenyAccess(peer_id, SERVER_ACCESSDENIED_EMPTY_PASSWORD); @@ -1521,6 +1522,15 @@ void Server::handleCommand_FirstSrp(NetworkPacket* pkt) return; } m_clients.event(peer_id, CSE_SudoLeave); + + if (empty_disallowed) { + actionstream << "Server: " << playername + << " supplied empty password" << std::endl; + SendChatMessage(peer_id, ChatMessage(CHATMESSAGE_TYPE_SYSTEM, + L"Changing to an empty password is not allowed.")); + return; + } + std::string pw_db_field = encode_srp_verifier(verification_key, salt); bool success = m_script->setPassword(playername, pw_db_field); if (success) { -- cgit v1.2.3