EFForg · jsha · Dec 4, 2014 · Nov 6, 2014 · Nov 6, 2014 · Nov 6, 2014
diff --git a/routerapi/auth.py b/routerapi/auth.py
@@ -80,6 +80,7 @@ class Auth:
     RATE_LIMIT_DURATION = 86400 # One day in seconds
     RATE_LIMIT_COUNT = 10
     LOGGED_IN_COOKIE_NAME = 'logged_in'
+    PASSWORD_LENGTH_MIN = 8
 
     def __init__(self, path = default_path()):
         self.path = path
@@ -167,11 +168,16 @@ def is_password(self, candidate):
     def save_password(self, new_password):
         """
         Store a new password.
+        Returns True is the password was stored and False if the password 
+        didn't fulfil all criteria.
         """
+        if len(new_password) < self.PASSWORD_LENGTH_MIN:
+            return False
         # 55 iterations takes about 100 ms on a Netgear WNDR3800 or about 8ms on a
         # Core2 Duo at 1200 MHz.
         hashed = pbkdf2.crypt(new_password, iterations=55)
         self.write(self.password_filename, hashed)
+        return True
 
     def get_csrf_token(self):
         """

diff --git a/routerapi/change_password b/routerapi/change_password
@@ -29,7 +29,8 @@ def jsonrpc_change_password():
 
     a = auth.Auth()
     if a.is_password(old_password):
-        a.save_password(new_password)
+        if not a.save_password(new_password):
+            common.render_error("Invalid password supplied.")
         print "Content-Type: application/json"
         print a.login_headers()
         print

diff --git a/routerapi/change_password_first_time b/routerapi/change_password_first_time
@@ -33,7 +33,8 @@ def jsonrpc_change_password_first_time(auth_path):
     if a.password_exists():
         common.render_error('Administrator password has already been set.')
     else:
-        a.save_password(new_password)
+        if not a.save_password(new_password):
+            common.render_error("Invalid password supplied.")
         uci.set('openwireless.setup_state', 'setup-private-net')
         uci.commit('openwireless')
         print "Content-Type: application/json"

diff --git a/routerapi/set_private_ssid b/routerapi/set_private_ssid
@@ -16,7 +16,8 @@ def jsonrpc_set_private_ssid():
         common.render_error(e.__str__())
     except ValueError, e:
         common.render_error(e.__str__())
-
+    if len(passphrase) < 8:
+        common.render_error("Passphrase must contain at least 8 characters.")
     # TODO: filter input
     uci.set('wireless.@wifi-iface[2].ssid', name)
     uci.set('wireless.@wifi-iface[2].key', passphrase)

diff --git a/test/auth_test.py b/test/auth_test.py
@@ -58,6 +58,8 @@ def test_password(self):
         self.assertTrue(os.path.isfile(os.path.join(self.path, "password")))
         self.assertTrue(self.auth.is_password("Passw0rd"))
         self.assertFalse(self.auth.is_password("badpass"))
+        self.assertFalse(self.auth.save_password("2Short"))
+        self.assertTrue(self.auth.is_password("Passw0rd"))
 
     def test_write(self):
         filename = os.path.join(self.path, "foo")