nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-21 07:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
310 Commits 11 Branches 402 Tags 289 MiB
Commit Graph

9 Commits

Author SHA1 Message Date
James Valleroy
f7ad1089a5 Update tests for auth module, and fix some bugs discovered in auth module. 2013-11-11 07:31:53 -06:00
James Valleroy
4a9177a257 Use bcrypt for login form. Add tests to check that salts and hashes are random, and check handling of invalid passwords or salts. 2013-11-11 07:28:26 -06:00
Nick Daly
49ce1b9389 Merge JValleroy's test fixes. 2013-11-02 11:37:45 -05:00
Nick Daly
c0049d1d8c Merged JValleroy's test updates. 
The *user_store* tests can find the user_store module, and now the
tests fail for completely different reasons!
 2013-11-02 11:26:35 -05:00
Nick Daly
daca06a9b3 Moved actions/privilegedactions_test.py to tests/. 
Added new "--pause" option in test.sh to pause after each test.
 2013-11-02 10:34:51 -05:00
James Valleroy
1acc17f403 Fix import of user_store in test. 2013-11-02 02:41:44 +00:00
James Valleroy
8786e6ecc2 Fix import of privilegedactions in tests. 2013-11-02 02:40:49 +00:00
Nick Daly
065c25039a Rewrote actions/privilegedactions.py to be less exploitable. 
I'm sure there are still some exploits in the code, but there are
certainly fewer now.  Instead of just executing whatever arguments are
passed into privilegedactions.privilegedaction_run, we now limit the
actions that can be run in the following ways:

- Only actions that exist in the actions directory can be executed.
  Attempting to run the action "echo; rm -rf /" will look for a file
  named "actions/echo; rm -rf /", of which there are none.

- Shell literals are escaped: attempting to run the "echo" action with
  options like "'hi'; rm -rf /") will echo "'hi'; rm -rf /".

- It is difficult to interact with the spawned process through this
  interface.  We can't control whether the spawned process allows
  interaction.

The details of the contract are included in privilegedactions.py, and
this contract is tested in privilegedactions_test.py.
 2013-10-27 10:46:06 -05:00
Tom Galloway
c4cddbfc0e Changes to get user management screens started. Updated UserStore to add all expected functions. Added tests for these functions. 2013-01-21 10:30:52 +00:00