pengjunjie/server
1
0
Fork 1
mirror of https://github.com/ONLYOFFICE/server.git synced 2026-02-10 18:05:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bug] Fix bug in verifyPassword

Browse Source
This commit is contained in:
Sergey Konovalov
2025-10-02 11:56:36 +03:00
parent 5b18f02da1
commit f01af975ba
1 changed files with 5 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
AdminPanel/server/sources/passwordManager.js
View File

@ -96,7 +96,7 @@ async function verifyPassword(password, hash) {
return false;
}
const [, iterationsStr, saltBase64, expectedHashBase64] = parts;
const [, , iterationsStr, saltBase64, expectedHashBase64] = parts;
const iterations = parseInt(iterationsStr, 10);
if (!iterations || !saltBase64 || !expectedHashBase64) {
@ -108,13 +108,12 @@ async function verifyPassword(password, hash) {
// Derive key from password with same parameters
const derivedKey = await pbkdf2(password, saltBuffer, iterations, PBKDF2_KEYLEN, PBKDF2_DIGEST);
const computedHashBase64 = derivedKey.toString('base64').replace(/\+/g, '.').replace(/=/g, '');
// Compare using timing-safe comparison
const expectedBuffer = Buffer.from(expectedHashBase64);
const computedBuffer = Buffer.from(computedHashBase64);
// Decode expected hash from base64 (restore + from .)
const expectedHashBuffer = Buffer.from(expectedHashBase64.replace(/\./g, '+'), 'base64');
return crypto.timingSafeEqual(expectedBuffer, computedBuffer);
// Compare using timing-safe comparison (compare raw buffers, not base64 strings)
return crypto.timingSafeEqual(derivedKey, expectedHashBuffer);
} catch {
return false;
}