rustdesk/hbb_common
1
0
Fork 0
mirror of https://github.com/rustdesk/hbb_common.git synced 2026-04-02 22:16:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(password): guard set_permanent_password_storage_for_sync()

Browse Source 
Signed-off-by: fufesou <linlong1266@gmail.com>
This commit is contained in:
fufesou
2026-03-19 21:23:12 +08:00
parent 37802208aa
commit 5d5f12a5ac
1 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/config.rs
View File

@@ -1312,6 +1312,19 @@ impl Config {
return Err(anyhow!("Invalid hashed permanent password storage")); return Err(anyhow!("Invalid hashed permanent password storage"));
} }
// For hashed permanent password storage, `storage` and `salt` must be consistent as a pair.
//
// In theory, it should be impossible to observe "same storage but different salt" for a
// correct sync source. However, accepting such an update would persist an invalid
// (storage, salt) pair and make permanent-password verification fail for all inputs
// (effective lockout) until the password is reset. The impact is high enough that a
// defensive check here is worthwhile even if it is rarely triggered in practice.
if config.password == storage && config.salt != salt {
return Err(anyhow!(
"Refusing to change salt without updating hashed permanent password storage"
));
}
if config.password == storage && config.salt == salt { if config.password == storage && config.salt == salt {
return Ok(false); return Ok(false);
} }