From a52a6a8d52feccd7b2231317d667e734fd040adb Mon Sep 17 00:00:00 2001
From: Chip Black <bytex64@bytex64.net>
Date: Sat, 8 Jan 2011 23:52:56 -0600
Subject: [PATCH] Limit password length to 64 characters

---
 common/auth.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/common/auth.c b/common/auth.c
index 7e63f96..26569fd 100644
--- a/common/auth.c
+++ b/common/auth.c
@@ -12,17 +12,22 @@
 #include "util.h"
 
 #define TOKEN_SIZE 16
+#define MAX_PASSWORD_LENGTH 64
 
 int auth_set_password(const char *username, const char *password) {
 	char filename[512];
-	int fd;
+	int fd, n;
 
 	if (!valid_name(username) || !blerg_exists(username))
 		return 0;
 
+	n = strlen(password);
+	if (n > MAX_PASSWORD_LENGTH)
+		return 0;
+
 	snprintf(filename, 512, "%s/%s/password", DATA_PATH, username);
 	fd = open(filename, O_WRONLY | O_CREAT, 0600);
-	write(fd, password, strlen(password));
+	write(fd, password, n);
 	close(fd);
 	
 	return 1;
@@ -40,7 +45,7 @@ int auth_get_password(const char *username, char *password) {
 	fd = open(filename, O_RDONLY);
 	if (fd == -1)
 		return 0;
-	len = read(fd, password, 32);
+	len = read(fd, password, MAX_PASSWORD_LENGTH);
 	close(fd);
 
 	password[len] = 0;
@@ -54,7 +59,7 @@ int auth_check_password(const char *username, const char *password) {
 	if (auth_get_password(username, epw) == 0)
 		return 0;
 
-	if (strncmp(password, epw, 32) == 0)
+	if (strncmp(password, epw, MAX_PASSWORD_LENGTH) == 0)
 		return 1;
 	else
 		return 0;
-- 
2.25.1