Apply disallow_empty_password to password changes too

2022-04-27 19:10:03 +02:00 · 2022-04-27 19:10:03 +02:00 · 1ac378063e
commit 1ac378063e
parent d497c92684
2 changed files with 14 additions and 4 deletions
--- a/builtin/settingtypes.txt
+++ b/builtin/settingtypes.txt
@ -1123,7 +1123,7 @@ enable_mod_channels (Mod channels) bool false
 #    If this is set, players will always (re)spawn at the given position.
 static_spawnpoint (Static spawnpoint) string

-#    If enabled, new players cannot join with an empty password.
+#    If enabled, players cannot join without a password or change theirs to an empty password.
 disallow_empty_password (Disallow empty passwords) bool false

 #    If enabled, disable cheat prevention in multiplayer.
--- a/src/network/serverpackethandler.cpp
+++ b/src/network/serverpackethandler.cpp
@ -1476,6 +1476,9 @@ void Server::handleCommand_FirstSrp(NetworkPacket* pkt)
 	verbosestream << "Server: Got TOSERVER_FIRST_SRP from " << addr_s
 		<< ", with is_empty=" << (is_empty == 1) << std::endl;

+	const bool empty_disallowed = !isSingleplayer() && is_empty == 1 &&
+		g_settings->getBool("disallow_empty_password");
+
 	// Either this packet is sent because the user is new or to change the password
 	if (cstate == CS_HelloSent) {
 		if (!client->isMechAllowed(AUTH_MECHANISM_FIRST_SRP)) {
@ -1486,9 +1489,7 @@ void Server::handleCommand_FirstSrp(NetworkPacket* pkt)
 			return;
 		}

-		if (!isSingleplayer() &&
-				g_settings->getBool("disallow_empty_password") &&
-				is_empty == 1) {
+		if (empty_disallowed) {
 			actionstream << "Server: " << playername
 					<< " supplied empty password from " << addr_s << std::endl;
 			DenyAccess(peer_id, SERVER_ACCESSDENIED_EMPTY_PASSWORD);
@ -1521,6 +1522,15 @@ void Server::handleCommand_FirstSrp(NetworkPacket* pkt)
 			return;
 		}
 		m_clients.event(peer_id, CSE_SudoLeave);
+
+		if (empty_disallowed) {
+			actionstream << "Server: " << playername
+					<< " supplied empty password" << std::endl;
+			SendChatMessage(peer_id, ChatMessage(CHATMESSAGE_TYPE_SYSTEM,
+				L"Changing to an empty password is not allowed."));
+			return;
+		}
+
 		std::string pw_db_field = encode_srp_verifier(verification_key, salt);
 		bool success = m_script->setPassword(playername, pw_db_field);
 		if (success) {