[Jirafeau] Some password invalid characters do not appear to be caught at install time

Vinz · March 11, 2020, 9:35pm

Hi everyone,

First, a huge thanks for the great piece of SW that is Yunohost! I just installed it to get more familiar w/ self-hosting and it looks great. I can’t believe you guys managed to abstract a lot of the tedious server work into such a beautiful interface, it is very very nice!

Now, I am writing here as I have just installed Jirafeau and set an upload password, automatically generated using KeypassXC. I see there is some code to forbid characters which the Jirafeau code does not support (I hit the ‘{}’ case) but it looks like some of them are not properly caught.

Steps:

I just installed Jirafeau and it would not start at all (no page displayed on DOMAIN/jirafeau).
The Firefox debugger tells me there is a 500 internal server error.
Looking at the logs via the UI, I see the following in /var/log/nginx/cryostase.eu-error.log:

2020/03/08 21:58:46 [error] 15221#15221: *590 [lua] access.lua:123: Redirection to an external domain aborted, client: 192.168.1.254, server: cryostase.eu, request: "GET /yunohost/sso/?r=aHR0cHM6Ly8xOTIuMTY4LjEuNzYveXVub2hvc3Qvc3NvLw== HTTP/2.0", host: "cryostase.eu", referrer: "https://cryostase.eu/yunohost/sso/?r=aHR0cHM6Ly8xOTIuMTY4LjEuNzYveXVub2hvc3Qvc3NvLw=="
2020/03/08 21:59:54 [error] 15221#15221: *590 [lua] helpers.lua:314: authenticate(): Connection failed for: admin, client: 192.168.1.254, server: cryostase.eu, request: "POST /yunohost/sso/ HTTP/2.0", host: "cryostase.eu", referrer: "https://cryostase.eu/yunohost/sso/"
2020/03/11 20:57:42 [error] 7029#7029: *1208 FastCGI sent in stderr: "PHP message: PHP Parse error:  syntax error, unexpected ':', expecting ')' in /var/www/jirafeau/lib/config.local.php on line 77" while reading response header from upstream, client: 192.168.1.254, server: cryostase.eu, request: "GET /jirafeau/ HTTP/2.0", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm-jirafeau.sock:", host: "cryostase.eu", referrer: "https://192.168.1.76/yunohost/admin/"
2020/03/11 20:57:57 [error] 7029#7029: *1208 FastCGI sent in stderr: "PHP message: PHP Parse error:  syntax error, unexpected ':', expecting ')' in /var/www/jirafeau/lib/config.local.php on line 77" while reading response header from upstream, client: 192.168.1.254, server: cryostase.eu, request: "GET /jirafeau/ HTTP/2.0", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm-jirafeau.sock:", host: "cryostase.eu", referrer: "https://192.168.1.76/yunohost/admin/"
2020/03/11 20:58:03 [error] 7029#7029: *1208 FastCGI sent in stderr: "PHP message: PHP Parse error:  syntax error, unexpected ':', expecting ')' in /var/www/jirafeau/lib/config.local.php on line 77" while reading response header from upstream, client: 192.168.1.254, server: cryostase.eu, request: "GET /jirafeau/ HTTP/2.0", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm-jirafeau.sock:", host: "cryostase.eu", referrer: "https://192.168.1.76/yunohost/admin/"
2020/03/11 20:58:14 [error] 7029#7029: *1208 FastCGI sent in stderr: "PHP message: PHP Parse error:  syntax error, unexpected ':', expecting ')' in /var/www/jirafeau/lib/config.local.php on line 77" while reading response header from upstream, client: 192.168.1.254, server: cryostase.eu, request: "GET /jirafeau/ HTTP/2.0", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm-jirafeau.sock:", host: "cryostase.eu", referrer: "https://192.168.1.76/yunohost/admin/"

Here it is clearly the case that the problematic character is the ‘:’ sign. After manually editing the password string and restarting nginx (is there a better way to just restart a single app?), I found a few more such forbidden characters. After changing them all, Jirafeau can start.

The list of forbidden characters which do not appear from being caught from what I have seen in my case is <>:'

I think I should report this on Github but I am not sure so I preferred to ask here. Let me know how I can proceed.

Thanks much for the feedback, and thanks again for such a great piece of software!

Vincent

PS: I have found a similar issue (can’t post the link here apparently, insufficient karma) which was fixed in the code (without any reference to a commit however)

My YunoHost server

Hardware: Raspberry Pi 3 at home
YunoHost version: 3.6.5.3 (stable).
I have access to my server : Through SSH and through the webadmin. Direct access via keyboard / screen is possible if needed, I can plug a serial console although I have not tried it.
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Vinz · March 11, 2020, 9:50pm

Actually, even if I remove the problematic characters and Jirafeau can start, I get similar issues when uploading a file, with part of the password being displayed in the page, next to the ‘Send’ button and password validation always failing. The character checks probably have to be even stronger.

Vinz · March 12, 2020, 9:28pm

Salut a tous,

Juste une note pour dire que si les reponses en francais sont plus simples, cela me va aussi tres bien (je n’etais pas sur au premier abord mais en lisant le forum, j’ai l’impression que la communaute francophone est davantage representee).

Vincent

Maniack_Crudelis · March 12, 2020, 11:03pm

Hello Vinz

That’s a recurrent issue with some apps.
For what I’m concerned I would say you should better not use special characters in your passwords, as you’ll never know how apps are going to handle them.
That’s also the problem with an early detection, as you did encounter with {} (which are the only forbidden characters so far) because how do you define which characters are forbidden ?
Here the problem was with php, but it could be as well with node, json, python or whatever else the app uses. And the forbidden characters aren’t the same depending of the language the app uses.

An old and never solved problem…
There was a beginning of something here, https://github.com/YunoHost/issues/issues/1319#issuecomment-470564616. I probably never went forward though.

Vinz · March 17, 2020, 9:47pm

Hello @Maniack_Crudelis,

Thanks for your detailed and precise answer and sorry for taking that long to reply back.
I see what you tried to achieve in issue #1319, indeed a difficult problem to solve. It does look to me that many apps on Yuno could be vulnerable to such injections.

Also note that the security page mentions that only password hashes are stored, which is clearly not the case for Girafeau (maybe this applied to the Yunohost core only).

As for the guidance on passwords generation, would you think this could be a worthwhile addition to the doc? I can see to generate a patch if so.

Thanks much!

Maniack_Crudelis · March 17, 2020, 10:05pm

For sure many would argue about weak passwords.
Meanwhile, you can open a pull request to add it to the doc, or if you know how to do it, try to fix the problem itself.

Vinz · March 20, 2020, 7:16am

Thanks again for your answer. I will see to open a doc PR to mention that users should not use special characters in passwords.

system · April 4, 2020, 7:16am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.