mirrors/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent.git synced 2024-10-22 18:56:08 +03:00
Code Issues Projects Releases Packages Wiki Activity

Apply PBKDF2 when storing passwords

Browse source
This commit is contained in:
Chocobo1 2018-11-21 15:15:51 +08:00
parent 8a6cac8338
commit 05d6a29416
No known key found for this signature in database
GPG key ID: 210D9C873253A68C
14 changed files with 208 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/app/application.cpp
View file

@ -525,8 +525,8 @@ int Application::exec(const QStringList &params)
.arg(QString("http://localhost:") + QString::number(pref->getWebUiPort())) + '\n' .arg(QString("http://localhost:") + QString::number(pref->getWebUiPort())) + '\n'
+ tr("The Web UI administrator user name is: %1").arg(pref->getWebUiUsername()) + '\n'; + tr("The Web UI administrator user name is: %1").arg(pref->getWebUiUsername()) + '\n';
printf("%s", qUtf8Printable(mesg)); printf("%s", qUtf8Printable(mesg));
qDebug() << "Password:" << pref->getWebUiPassword();
if (pref->getWebUiPassword() == "f6fdffe48c908deb0f4c3bd36c032e72") { if (pref->getWebUIPassword() == "ARQ77eY1NUZaQsuDHbIMCA==:0WMRkYTUWVT9wVvdDtHAjU9b3b7uB8NR1Gur2hmQCvCDpm39Q+PsJRJPaCU51dEiz+dTzh8qbPsL8WkFljQYFQ==") {
const QString warning = tr("The Web UI administrator password is still the default one: %1").arg("adminadmin") + '\n' const QString warning = tr("The Web UI administrator password is still the default one: %1").arg("adminadmin") + '\n'
+ tr("This is a security risk, please consider changing your password from program preferences.") + '\n'; + tr("This is a security risk, please consider changing your password from program preferences.") + '\n';
printf("%s", qUtf8Printable(warning)); printf("%s", qUtf8Printable(warning));

2
src/base/CMakeLists.txt
View file

@ -54,6 +54,7 @@ utils/fs.h
utils/gzip.h utils/gzip.h
utils/misc.h utils/misc.h
utils/net.h utils/net.h
utils/password.h
utils/random.h utils/random.h
utils/string.h utils/string.h
utils/version.h utils/version.h
@ -123,6 +124,7 @@ utils/fs.cpp
utils/gzip.cpp utils/gzip.cpp
utils/misc.cpp utils/misc.cpp
utils/net.cpp utils/net.cpp
utils/password.cpp
utils/random.cpp utils/random.cpp
utils/string.cpp utils/string.cpp
asyncfilestorage.cpp asyncfilestorage.cpp

2
src/base/base.pri
View file

@ -69,6 +69,7 @@ HEADERS += \
$$PWD/utils/gzip.h \ $$PWD/utils/gzip.h \
$$PWD/utils/misc.h \ $$PWD/utils/misc.h \
$$PWD/utils/net.h \ $$PWD/utils/net.h \
$$PWD/utils/password.h \
$$PWD/utils/random.h \ $$PWD/utils/random.h \
$$PWD/utils/string.h \ $$PWD/utils/string.h \
$$PWD/utils/version.h $$PWD/utils/version.h
@ -133,5 +134,6 @@ SOURCES += \
$$PWD/utils/gzip.cpp \ $$PWD/utils/gzip.cpp \
$$PWD/utils/misc.cpp \ $$PWD/utils/misc.cpp \
$$PWD/utils/net.cpp \ $$PWD/utils/net.cpp \
$$PWD/utils/password.cpp \
$$PWD/utils/random.cpp \ $$PWD/utils/random.cpp \
$$PWD/utils/string.cpp $$PWD/utils/string.cpp

24
src/base/preferences.cpp
View file

@ -582,28 +582,16 @@ void Preferences::setWebUiUsername(const QString &username)
setValue("Preferences/WebUI/Username", username); setValue("Preferences/WebUI/Username", username);
} }
QString Preferences::getWebUiPassword() const QByteArray Preferences::getWebUIPassword() const
{ {
QString passHa1 = value("Preferences/WebUI/Password_ha1").toString(); // default: adminadmin
if (passHa1.isEmpty()) { const QByteArray defaultValue = "ARQ77eY1NUZaQsuDHbIMCA==:0WMRkYTUWVT9wVvdDtHAjU9b3b7uB8NR1Gur2hmQCvCDpm39Q+PsJRJPaCU51dEiz+dTzh8qbPsL8WkFljQYFQ==";
QCryptographicHash md5(QCryptographicHash::Md5); return value("Preferences/WebUI/Password_PBKDF2", defaultValue).toByteArray();
md5.addData("adminadmin");
passHa1 = md5.result().toHex();
}
return passHa1;
} }
void Preferences::setWebUiPassword(const QString &newPassword) void Preferences::setWebUIPassword(const QByteArray &password)
{ {
// Do not overwrite current password with its hash setValue("Preferences/WebUI/Password_PBKDF2", password);
if (newPassword == getWebUiPassword())
return;
// Encode to md5 and save
QCryptographicHash md5(QCryptographicHash::Md5);
md5.addData(newPassword.toLocal8Bit());
setValue("Preferences/WebUI/Password_ha1", md5.result().toHex());
} }
bool Preferences::isWebUiClickjackingProtectionEnabled() const bool Preferences::isWebUiClickjackingProtectionEnabled() const

4
src/base/preferences.h
View file

@ -193,8 +193,8 @@ public:
void setWebUiAuthSubnetWhitelist(QStringList subnets); void setWebUiAuthSubnetWhitelist(QStringList subnets);
QString getWebUiUsername() const; QString getWebUiUsername() const;
void setWebUiUsername(const QString &username); void setWebUiUsername(const QString &username);
QString getWebUiPassword() const; QByteArray getWebUIPassword() const;
void setWebUiPassword(const QString &newPassword); void setWebUIPassword(const QByteArray &password);
// WebUI security // WebUI security
bool isWebUiClickjackingProtectionEnabled() const; bool isWebUiClickjackingProtectionEnabled() const;

120
src/base/utils/password.cpp Normal file
View file

@ -0,0 +1,120 @@
/*
* Bittorrent Client using Qt and libtorrent.
* Copyright (C) 2018 Mike Tzou (Chocobo1)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, the copyright holders give permission to
* link this program with the OpenSSL project's "OpenSSL" library (or with
* modified versions of it that use the same license as the "OpenSSL" library),
* and distribute the linked executables. You must obey the GNU General Public
* License in all respects for all of the code used other than "OpenSSL". If you
* modify file(s), you may extend this exception to your version of the file(s),
* but you are not obligated to do so. If you do not wish to do so, delete this
* exception statement from your version.
*/
#include "password.h"
#include <array>
#include <openssl/evp.h>
#include <QByteArray>
#include <QList>
#include <QString>
#include "bytearray.h"
#include "random.h"
#include "string.h"
namespace Utils
{
namespace Password
{
namespace PBKDF2
{
const int hashIterations = 100000;
const auto hashMethod = EVP_sha512();
}
}
}
// Implements constant-time comparison to protect against timing attacks
// Taken from https://crackstation.net/hashing-security.htm
bool Utils::Password::slowEquals(const QByteArray &a, const QByteArray &b)
{
const int lengthA = a.length();
const int lengthB = b.length();
int diff = lengthA ^ lengthB;
for (int i = 0; (i < lengthA) && (i < lengthB); ++i)
diff |= a[i] ^ b[i];
return (diff == 0);
}
QByteArray Utils::Password::PBKDF2::generate(const QString &password)
{
return generate(password.toUtf8());
}
QByteArray Utils::Password::PBKDF2::generate(const QByteArray &password)
{
const std::array<uint32_t, 4> salt {{Random::rand(), Random::rand()
, Random::rand(), Random::rand()}};
std::array<unsigned char, 64> outBuf {};
const int hmacResult = PKCS5_PBKDF2_HMAC(password.constData(), password.size()
, reinterpret_cast<const unsigned char *>(salt.data()), (sizeof(salt[0]) * salt.size())
, hashIterations, hashMethod
, outBuf.size(), outBuf.data());
if (hmacResult != 1)
return {};
const QByteArray saltView = QByteArray::fromRawData(
reinterpret_cast<const char *>(salt.data()), (sizeof(salt[0]) * salt.size()));
const QByteArray outBufView = QByteArray::fromRawData(
reinterpret_cast<const char *>(outBuf.data()), outBuf.size());
return (saltView.toBase64() + ':' + outBufView.toBase64());
}
bool Utils::Password::PBKDF2::verify(const QByteArray &secret, const QString &password)
{
return verify(secret, password.toUtf8());
}
bool Utils::Password::PBKDF2::verify(const QByteArray &secret, const QByteArray &password)
{
const QList<QByteArray> list = ByteArray::splitToViews(secret, ":", QString::SkipEmptyParts);
if (list.size() != 2)
return false;
const QByteArray salt = QByteArray::fromBase64(list[0]);
const QByteArray key = QByteArray::fromBase64(list[1]);
std::array<unsigned char, 64> outBuf {};
const int hmacResult = PKCS5_PBKDF2_HMAC(password.constData(), password.size()
, reinterpret_cast<const unsigned char *>(salt.constData()), salt.size()
, hashIterations, hashMethod
, outBuf.size(), outBuf.data());
if (hmacResult != 1)
return false;
const QByteArray outBufView = QByteArray::fromRawData(
reinterpret_cast<const char *>(outBuf.data()), outBuf.size());
return slowEquals(key, outBufView);
}

51
src/base/utils/password.h Normal file
View file

@ -0,0 +1,51 @@
/*
* Bittorrent Client using Qt and libtorrent.
* Copyright (C) 2018 Mike Tzou (Chocobo1)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, the copyright holders give permission to
* link this program with the OpenSSL project's "OpenSSL" library (or with
* modified versions of it that use the same license as the "OpenSSL" library),
* and distribute the linked executables. You must obey the GNU General Public
* License in all respects for all of the code used other than "OpenSSL". If you
* modify file(s), you may extend this exception to your version of the file(s),
* but you are not obligated to do so. If you do not wish to do so, delete this
* exception statement from your version.
*/
#pragma once
class QByteArray;
class QString;
namespace Utils
{
namespace Password
{
// Implements constant-time comparison to protect against timing attacks
// Taken from https://crackstation.net/hashing-security.htm
bool slowEquals(const QByteArray &a, const QByteArray &b);
namespace PBKDF2
{
QByteArray generate(const QString &password);
QByteArray generate(const QByteArray &password);
bool verify(const QByteArray &secret, const QString &password);
bool verify(const QByteArray &secret, const QByteArray &password);
}
}
}

15
src/base/utils/string.cpp
View file

@ -31,7 +31,6 @@
#include <cmath> #include <cmath>
#include <QByteArray>
#include <QCollator> #include <QCollator>
#include <QLocale> #include <QLocale>
#include <QRegExp> #include <QRegExp>
@ -164,20 +163,6 @@ QString Utils::String::fromDouble(double n, int precision)
return QLocale::system().toString(std::floor(n * prec) / prec, 'f', precision); return QLocale::system().toString(std::floor(n * prec) / prec, 'f', precision);
} }
// Implements constant-time comparison to protect against timing attacks
// Taken from https://crackstation.net/hashing-security.htm
bool Utils::String::slowEquals(const QByteArray &a, const QByteArray &b)
{
int lengthA = a.length();
int lengthB = b.length();
int diff = lengthA ^ lengthB;
for (int i = 0; (i < lengthA) && (i < lengthB); ++i)
diff |= a[i] ^ b[i];
return (diff == 0);
}
// This is marked as internal in QRegExp.cpp, but is exported. The alternative would be to // This is marked as internal in QRegExp.cpp, but is exported. The alternative would be to
// copy the code from QRegExp::wc2rx(). // copy the code from QRegExp::wc2rx().
QString qt_regexp_toCanonical(const QString &pattern, QRegExp::PatternSyntax patternSyntax); QString qt_regexp_toCanonical(const QString &pattern, QRegExp::PatternSyntax patternSyntax);

7
src/base/utils/string.h
View file

@ -30,10 +30,9 @@
#ifndef UTILS_STRING_H #ifndef UTILS_STRING_H
#define UTILS_STRING_H #define UTILS_STRING_H
#include <QLatin1String>
#include <QString> #include <QString>
class QByteArray;
class QLatin1String;
class TriStateBool; class TriStateBool;
namespace Utils namespace Utils
@ -42,10 +41,6 @@ namespace Utils
{ {
QString fromDouble(double n, int precision); QString fromDouble(double n, int precision);
// Implements constant-time comparison to protect against timing attacks
// Taken from https://crackstation.net/hashing-security.htm
bool slowEquals(const QByteArray &a, const QByteArray &b);
int naturalCompare(const QString &left, const QString &right, const Qt::CaseSensitivity caseSensitivity); int naturalCompare(const QString &left, const QString &right, const Qt::CaseSensitivity caseSensitivity);
template <Qt::CaseSensitivity caseSensitivity> template <Qt::CaseSensitivity caseSensitivity>
bool naturalLessThan(const QString &left, const QString &right) bool naturalLessThan(const QString &left, const QString &right)

7
src/gui/optionsdialog.cpp
View file

@ -59,6 +59,7 @@
#include "base/torrentfileguard.h" #include "base/torrentfileguard.h"
#include "base/unicodestrings.h" #include "base/unicodestrings.h"
#include "base/utils/fs.h" #include "base/utils/fs.h"
#include "base/utils/password.h"
#include "base/utils/random.h" #include "base/utils/random.h"
#include "addnewtorrentdialog.h" #include "addnewtorrentdialog.h"
#include "advancedsettings.h" #include "advancedsettings.h"
@ -728,7 +729,8 @@ void OptionsDialog::saveOptions()
} }
// Authentication // Authentication
pref->setWebUiUsername(webUiUsername()); pref->setWebUiUsername(webUiUsername());
pref->setWebUiPassword(webUiPassword()); if (!webUiPassword().isEmpty())
pref->setWebUIPassword(Utils::Password::PBKDF2::generate(webUiPassword()));
pref->setWebUiLocalAuthEnabled(!m_ui->checkBypassLocalAuth->isChecked()); pref->setWebUiLocalAuthEnabled(!m_ui->checkBypassLocalAuth->isChecked());
pref->setWebUiAuthSubnetWhitelistEnabled(m_ui->checkBypassAuthSubnetWhitelist->isChecked()); pref->setWebUiAuthSubnetWhitelistEnabled(m_ui->checkBypassAuthSubnetWhitelist->isChecked());
// Security // Security
@ -1090,7 +1092,6 @@ void OptionsDialog::loadOptions()
setSslCertificate(pref->getWebUiHttpsCertificate()); setSslCertificate(pref->getWebUiHttpsCertificate());
setSslKey(pref->getWebUiHttpsKey()); setSslKey(pref->getWebUiHttpsKey());
m_ui->textWebUiUsername->setText(pref->getWebUiUsername()); m_ui->textWebUiUsername->setText(pref->getWebUiUsername());
m_ui->textWebUiPassword->setText(pref->getWebUiPassword());
m_ui->checkBypassLocalAuth->setChecked(!pref->isWebUiLocalAuthEnabled()); m_ui->checkBypassLocalAuth->setChecked(!pref->isWebUiLocalAuthEnabled());
m_ui->checkBypassAuthSubnetWhitelist->setChecked(pref->isWebUiAuthSubnetWhitelistEnabled()); m_ui->checkBypassAuthSubnetWhitelist->setChecked(pref->isWebUiAuthSubnetWhitelistEnabled());
m_ui->IPSubnetWhitelistButton->setEnabled(m_ui->checkBypassAuthSubnetWhitelist->isChecked()); m_ui->IPSubnetWhitelistButton->setEnabled(m_ui->checkBypassAuthSubnetWhitelist->isChecked());
@ -1743,7 +1744,7 @@ bool OptionsDialog::webUIAuthenticationOk()
QMessageBox::warning(this, tr("Length Error"), tr("The Web UI username must be at least 3 characters long.")); QMessageBox::warning(this, tr("Length Error"), tr("The Web UI username must be at least 3 characters long."));
return false; return false;
} }
if (webUiPassword().length() < 6) { if (!webUiPassword().isEmpty() && (webUiPassword().length() < 6)) {
QMessageBox::warning(this, tr("Length Error"), tr("The Web UI password must be at least 6 characters long.")); QMessageBox::warning(this, tr("Length Error"), tr("The Web UI password must be at least 6 characters long."));
return false; return false;
} }

9
src/gui/optionsdialog.ui
View file

@ -3074,15 +3074,12 @@ Specify an IPv4 or IPv6 address. You can specify &quot;0.0.0.0&quot; for any IPv
</item> </item>
<item row="3" column="1"> <item row="3" column="1">
<widget class="QLineEdit" name="textWebUiPassword"> <widget class="QLineEdit" name="textWebUiPassword">
<property name="text">
<string/>
</property>
<property name="maxLength">
<number>1000</number>
</property>
<property name="echoMode"> <property name="echoMode">
<enum>QLineEdit::Password</enum> <enum>QLineEdit::Password</enum>
</property> </property>
<property name="placeholderText">
<string>Change current password</string>
</property>
</widget> </widget>
</item> </item>
<item row="4" column="0" colspan="2"> <item row="4" column="0" colspan="2">

4
src/webui/api/appcontroller.cpp
View file

@ -54,6 +54,7 @@
#include "base/scanfoldersmodel.h" #include "base/scanfoldersmodel.h"
#include "base/utils/fs.h" #include "base/utils/fs.h"
#include "base/utils/net.h" #include "base/utils/net.h"
#include "base/utils/password.h"
#include "../webapplication.h" #include "../webapplication.h"
void AppController::webapiVersionAction() void AppController::webapiVersionAction()
@ -198,7 +199,6 @@ void AppController::preferencesAction()
data["ssl_cert"] = QString::fromLatin1(pref->getWebUiHttpsCertificate()); data["ssl_cert"] = QString::fromLatin1(pref->getWebUiHttpsCertificate());
// Authentication // Authentication
data["web_ui_username"] = pref->getWebUiUsername(); data["web_ui_username"] = pref->getWebUiUsername();
data["web_ui_password"] = pref->getWebUiPassword();
data["bypass_local_auth"] = !pref->isWebUiLocalAuthEnabled(); data["bypass_local_auth"] = !pref->isWebUiLocalAuthEnabled();
data["bypass_auth_subnet_whitelist_enabled"] = pref->isWebUiAuthSubnetWhitelistEnabled(); data["bypass_auth_subnet_whitelist_enabled"] = pref->isWebUiAuthSubnetWhitelistEnabled();
QStringList authSubnetWhitelistStringList; QStringList authSubnetWhitelistStringList;
@ -474,7 +474,7 @@ void AppController::setPreferencesAction()
if (m.contains("web_ui_username")) if (m.contains("web_ui_username"))
pref->setWebUiUsername(m["web_ui_username"].toString()); pref->setWebUiUsername(m["web_ui_username"].toString());
if (m.contains("web_ui_password")) if (m.contains("web_ui_password"))
pref->setWebUiPassword(m["web_ui_password"].toString()); pref->setWebUIPassword(Utils::Password::PBKDF2::generate(m["web_ui_password"].toByteArray()));
if (m.contains("bypass_local_auth")) if (m.contains("bypass_local_auth"))
pref->setWebUiLocalAuthEnabled(!m["bypass_local_auth"].toBool()); pref->setWebUiLocalAuthEnabled(!m["bypass_local_auth"].toBool());
if (m.contains("bypass_auth_subnet_whitelist_enabled")) if (m.contains("bypass_auth_subnet_whitelist_enabled"))

19
src/webui/api/authcontroller.cpp
View file

@ -28,11 +28,9 @@
#include "authcontroller.h" #include "authcontroller.h"
#include <QCryptographicHash>
#include "base/logger.h" #include "base/logger.h"
#include "base/preferences.h" #include "base/preferences.h"
#include "base/utils/string.h" #include "base/utils/password.h"
#include "apierror.h" #include "apierror.h"
#include "isessionmanager.h" #include "isessionmanager.h"
@ -58,17 +56,14 @@ void AuthController::loginAction()
, tr("Your IP address has been banned after too many failed authentication attempts.")); , tr("Your IP address has been banned after too many failed authentication attempts."));
} }
const QString username {Preferences::instance()->getWebUiUsername()}; const Preferences *pref = Preferences::instance();
const QString password {Preferences::instance()->getWebUiPassword()};
QCryptographicHash md5(QCryptographicHash::Md5); const QString username {pref->getWebUiUsername()};
md5.addData(passwordFromWeb.toLocal8Bit()); const QByteArray secret {pref->getWebUIPassword()};
const QString passwordFromWebHashed = md5.result().toHex(); const bool usernameEqual = Utils::Password::slowEquals(usernameFromWeb.toUtf8(), username.toUtf8());
const bool passwordEqual = Utils::Password::PBKDF2::verify(secret, passwordFromWeb);
const bool equalUser = Utils::String::slowEquals(usernameFromWeb.toUtf8(), username.toUtf8()); if (usernameEqual && passwordEqual) {
const bool equalPass = Utils::String::slowEquals(passwordFromWebHashed.toUtf8(), password.toUtf8());
if (equalUser && equalPass) {
m_clientFailedLogins.remove(clientAddr); m_clientFailedLogins.remove(clientAddr);
sessionManager()->sessionStart(); sessionManager()->sessionStart();

10
src/webui/www/private/preferences_content.html
View file

@ -433,7 +433,8 @@
<label for="webui_username_text" class="leftLabelSmall">QBT_TR(Username:)QBT_TR[CONTEXT=OptionsDialog]</label><input type="text" id="webui_username_text" /> <label for="webui_username_text" class="leftLabelSmall">QBT_TR(Username:)QBT_TR[CONTEXT=OptionsDialog]</label><input type="text" id="webui_username_text" />
</div> </div>
<div class="formRow"> <div class="formRow">
<label for="webui_password_text" class="leftLabelSmall">QBT_TR(Password:)QBT_TR[CONTEXT=OptionsDialog]</label><input type="password" id="webui_password_text" /> <label for="webui_password_text" class="leftLabelSmall">QBT_TR(Password:)QBT_TR[CONTEXT=OptionsDialog]</label>
<input type="password" id="webui_password_text" placeholder="QBT_TR(Change current password)QBT_TR[CONTEXT=OptionsDialog]" />
</div> </div>
<div class="formRow"> <div class="formRow">
<input type="checkbox" id="bypass_local_auth_checkbox" /> <input type="checkbox" id="bypass_local_auth_checkbox" />
@ -980,7 +981,6 @@
// Authentication // Authentication
$('webui_username_text').setProperty('value', pref.web_ui_username); $('webui_username_text').setProperty('value', pref.web_ui_username);
$('webui_password_text').setProperty('value', pref.web_ui_password);
$('bypass_local_auth_checkbox').setProperty('checked', pref.bypass_local_auth); $('bypass_local_auth_checkbox').setProperty('checked', pref.bypass_local_auth);
$('bypass_auth_subnet_whitelist_checkbox').setProperty('checked', pref.bypass_auth_subnet_whitelist_enabled); $('bypass_auth_subnet_whitelist_checkbox').setProperty('checked', pref.bypass_auth_subnet_whitelist_enabled);
$('bypass_auth_subnet_whitelist_textarea').setProperty('value', pref.bypass_auth_subnet_whitelist); $('bypass_auth_subnet_whitelist_textarea').setProperty('value', pref.bypass_auth_subnet_whitelist);
@ -1264,12 +1264,14 @@
return; return;
} }
var web_ui_password = $('webui_password_text').getProperty('value'); var web_ui_password = $('webui_password_text').getProperty('value');
if (web_ui_password.length < 6) { if ((0 < web_ui_password.length) && (web_ui_password.length < 6)) {
alert("QBT_TR(The Web UI password must be at least 6 characters long.)QBT_TR[CONTEXT=OptionsDialog]"); alert("QBT_TR(The Web UI password must be at least 6 characters long.)QBT_TR[CONTEXT=OptionsDialog]");
return; return;
} }
settings.set('web_ui_username', web_ui_username); settings.set('web_ui_username', web_ui_username);
settings.set('web_ui_password', web_ui_password); if (web_ui_password.length > 0)
settings.set('web_ui_password', web_ui_password);
settings.set('bypass_local_auth', $('bypass_local_auth_checkbox').getProperty('checked')); settings.set('bypass_local_auth', $('bypass_local_auth_checkbox').getProperty('checked'));
settings.set('bypass_auth_subnet_whitelist_enabled', $('bypass_auth_subnet_whitelist_checkbox').getProperty('checked')); settings.set('bypass_auth_subnet_whitelist_enabled', $('bypass_auth_subnet_whitelist_checkbox').getProperty('checked'));
settings.set('bypass_auth_subnet_whitelist', $('bypass_auth_subnet_whitelist_textarea').getProperty('value')); settings.set('bypass_auth_subnet_whitelist', $('bypass_auth_subnet_whitelist_textarea').getProperty('value'));