use hashed passwords (see #130)

burpui/misc/auth/basic.py

@@ -1,6 +1,8 @@
 # -*- coding: utf8 -*-
+import re
+
 from .interface import BUIhandler, BUIuser, BUIloader
-from ..._compat import ConfigParser
+from werkzeug.security import check_password_hash, generate_password_hash
 
 
 class BasicLoader(BUIloader):
@@ -18,24 +20,38 @@ class BasicLoader(BUIloader):
         self.users = {
             'admin': 'admin'
         }
-        conf = self.app.config['CFG']
+        conf = self.app.conf
-        c = ConfigParser.ConfigParser()
+        if 'BASIC' in conf.options:
-        c.optionxform = str
+            # check passwords are salted
-        with open(conf) as fp:
+            salted = False
-            c.readfp(fp)
+            if len(conf.options.comments['BASIC']) > 0:
-            if c.has_section('BASIC'):
+                if re.match(
-                self.users = {}
+                        r'^\s*#+\s*@salted@',
-                for opt in c.options('BASIC'):
+                        conf.options.comments['BASIC'][-1]):
-                    if opt == 'priority':
+                    salted = True
-                        # Maybe the handler argument is None, maybe the 'priority'
+            self.users = {}
-                        # option is missing. We don't care.
+            for opt in conf.options.get('BASIC').keys():
-                        try:
+                if opt == 'priority':
-                            handler.priority = c.getint('BASIC', opt)
+                    # Maybe the handler argument is None, maybe the 'priority'
-                        except:
+                    # option is missing. We don't care.
-                            pass
+                    try:
-                        continue  # pragma: no cover
+                        handler.priority = conf.safe_get(opt, section='BASIC')
-                    self.users[opt] = c.get('BASIC', opt)
+                    except:
-                    self.logger.info('Loading user: {}'.format(opt))
+                        pass
+                    continue  # pragma: no cover
+                pwd = conf.safe_get(opt, section='BASIC')
+                if not salted:
+                    pwd = generate_password_hash(pwd)
+                    conf.options['BASIC'][opt] = pwd
+                self.users[opt] = pwd
+                self.logger.info('Loading user: {}'.format(opt))
+
+            if not salted:
+                conf.options.comments['BASIC'].append(
+                    '# Please DO NOT touch the following line'
+                )
+                conf.options.comments['BASIC'].append('# @salted@')
+                conf.options.write()
 
     def fetch(self, uid=None):
         """:func:`burpui.misc.auth.basic.BasicLoader.fetch` searches for a user
@@ -63,7 +79,8 @@ class BasicLoader(BUIloader):
 
         :returns: True if there is a match, otherwise False
         """
-        return uid in self.users and self.users[uid] == passwd
+        return uid in self.users and \
+            check_password_hash(self.users[uid], passwd)
 
 
 class UserHandler(BUIhandler):