auth-filters: do not crash on nil username

[ps-cgit] / filters / gentoo-ldap-authentication.lua

diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua
index fce5632aa406a1d07e619f46a351d32c421ba508..3b6564b42983fc6996583495667ca2d8d93a99a0 100644 (file)
--- a/filters/gentoo-ldap-authentication.lua
+++ b/filters/gentoo-ldap-authentication.lua
@@ -4,7 +4,7 @@
 --     luacrypto >= 0.3
 --     <http://mkottman.github.io/luacrypto/>
 --     lualdap >= 1.2
---     <http://git.zx2c4.com/lualdap/about/>
+--     <https://git.zx2c4.com/lualdap/about/>
 --
 
 
@@ -106,7 +106,7 @@ local lualdap = require("lualdap")
 
 function gentoo_ldap_user_groups(username, password)
        -- Ensure the user is alphanumeric
-       if username:match("%W") then
+       if username == nil or username:match("%W") then
                return nil
        end
 
@@ -271,7 +271,7 @@ function validate_value(expected_field, cookie)
        end
 
        -- Lua hashes strings, so these comparisons are time invariant.
-       if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
+       if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
                return nil
        end
 
@@ -296,7 +296,7 @@ function secure_value(field, value, expiration)
        value = url_encode(value)
        field = url_encode(field)
        authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
-       authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret)
+       authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret)
        return authstr
 end