Mercurial > prosody-hg
changeset 14120:0e9e3efa381f 13.0
mod_admin_shell: Fail user creation/modification if new password fails saslprep
This saves us from setting an invalid password and preventing the new account
from authenticating.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 02 Apr 2026 20:53:04 +0100 |
| parents | 519c16c2eb21 |
| children | 7008869fcce2 8a4417d32b0f |
| files | plugins/mod_admin_shell.lua |
| diffstat | 1 files changed, 21 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/plugins/mod_admin_shell.lua Thu Apr 02 20:49:37 2026 +0100 +++ b/plugins/mod_admin_shell.lua Thu Apr 02 20:53:04 2026 +0100 @@ -20,6 +20,7 @@ local schema = require "prosody.util.jsonschema"; local st = require "prosody.util.stanza"; local parse_args = require "prosody.util.argparse".parse; +local saslprep = require "prosody.util.encodings".stringprep.saslprep; local _G = _G; @@ -1869,8 +1870,16 @@ role = module:get_option_string("default_provisioned_role", "prosody:member"); end - return promise.resolve(password or self.session.request_input("password")):next(function (password_) - local ok, err = um.create_user_with_role(username, password_, host, role); + return promise.resolve(password or self.session.request_input("password")):next(function (raw_password) + local prepped_password = saslprep(raw_password); + if not prepped_password or prepped_password == "" then + return promise.reject("Unacceptable password"); + end + + self.session.print(("PW: %q"):format(raw_password)); + self.session.print(("PW2: %q"):format(prepped_password)); + + local ok, err = um.create_user_with_role(username, prepped_password, host, role); if not ok then return promise.reject("Could not create user: "..err); end @@ -1935,8 +1944,16 @@ return nil, "No such user"; end - return promise.resolve(password or self.session.request_input("password")):next(function (password_) - local ok, err = um.set_password(username, password_, host, nil); + return promise.resolve(password or self.session.request_input("password")):next(function (raw_password) + local prepped_password = saslprep(raw_password); + if not prepped_password or prepped_password == "" then + return promise.reject("Unacceptable password"); + end + + self.session.print(("PW: %q"):format(raw_password)); + self.session.print(("PW2: %q"):format(prepped_password)); + + local ok, err = um.set_password(username, prepped_password, host, nil); if ok then return "User password changed"; else
