From a0b276e4b8ae86dec7deee898e85b65784d89933 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Wed, 7 Aug 2013 18:09:20 +0200
Subject: close srp vulnerability and report error in webapp

---
 users/config/locales/en.yml                           | 1 +
 users/leap_web_users.gemspec                          | 2 +-
 users/lib/warden/strategies/secure_remote_password.rb | 2 ++
 users/test/integration/browser/account_test.rb        | 1 +
 4 files changed, 5 insertions(+), 1 deletion(-)

(limited to 'users')

diff --git a/users/config/locales/en.yml b/users/config/locales/en.yml
index 1aa7005..62f822c 100644
--- a/users/config/locales/en.yml
+++ b/users/config/locales/en.yml
@@ -12,6 +12,7 @@ en:
   change_password: "Change Password"
   login_message: "Please log in with your account."
   invalid_user_pass: "Not a valid username/password combination"
+  invalid_ephemeral: "Invalid random key used. This looked like an attempt to hack the site to us. If it wasn't please contact support so we can look into the issue."
   all_strategies_failed: "Could not understand your login attempt. Please first send your login and a SRP ephemeral value A and then send the client_auth in the same session (using cookies)."
   update_login_and_password: "Update Login and Password"
   destroy_my_account: "Destroy my account"
diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec
index d33328a..7d1f220 100644
--- a/users/leap_web_users.gemspec
+++ b/users/leap_web_users.gemspec
@@ -17,6 +17,6 @@ Gem::Specification.new do |s|
 
   s.add_dependency "leap_web_core", LeapWeb::VERSION
 
-  s.add_dependency "ruby-srp", "~> 0.2.0"
+  s.add_dependency "ruby-srp", "~> 0.2.1"
   s.add_dependency "rails_warden"
 end
diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb
index 2c681be..4688fcd 100644
--- a/users/lib/warden/strategies/secure_remote_password.rb
+++ b/users/lib/warden/strategies/secure_remote_password.rb
@@ -49,6 +49,8 @@ module Warden
         else
           fail! :base => 'invalid_user_pass'
         end
+      rescue SRP::InvalidEphemeral
+        fail!(:base => "invalid_ephemeral")
       end
 
       def json_response(object)
diff --git a/users/test/integration/browser/account_test.rb b/users/test/integration/browser/account_test.rb
index b5776ff..c65c491 100644
--- a/users/test/integration/browser/account_test.rb
+++ b/users/test/integration/browser/account_test.rb
@@ -29,6 +29,7 @@ class AccountTest < BrowserIntegrationTest
     inject_malicious_js
     click_on 'Log In'
     assert !page.has_content?("Welcome")
+    assert page.has_content?("Invalid random key")
   end
 
   def inject_malicious_js
-- 
cgit v1.2.3