Merge pull request #1423 from pi-hole/promoLearnsToCode

Double hash the password directly in the install script
7 years ago · 7c2046cce7
parent c8e1e6dc8a b13171cc45
commit 7c2046cce7
2 changed files with 10 additions and 4 deletions
--- a/advanced/Scripts/webpage.sh
+++ b/advanced/Scripts/webpage.sh
@ -67,6 +67,13 @@ SetTemperatureUnit(){

 }

+HashPassword(){
+    # Compute password hash twice to avoid rainbow table vulnerability
+    return=$(echo -n ${1} | sha256sum | sed 's/\s.*$//')
+		return=$(echo -n ${return} | sha256sum | sed 's/\s.*$//')
+		echo ${return}
+}
+
 SetWebPassword(){

 	if [ "${SUDO_USER}" == "www-data" ]; then
@ -93,9 +100,7 @@ SetWebPassword(){
 	read -s -p "Confirm Password: " CONFIRM
 	echo ""
 	if [ "${PASSWORD}" == "${CONFIRM}" ] ; then
-		# Compute password hash twice to avoid rainbow table vulnerability
-		hash=$(echo -n ${PASSWORD} | sha256sum | sed 's/\s.*$//')
-		hash=$(echo -n ${hash} | sha256sum | sed 's/\s.*$//')
+		hash=$(HashPassword ${PASSWORD})
 		# Save hash to file
 		change_setting "WEBPASSWORD" "${hash}"
 		echo "New password set"
--- a/install/basic-install.sh
+++ b/install/basic-install.sh
@ -1413,7 +1413,8 @@ main() {
    pw=""
    if [[ $(grep 'WEBPASSWORD' -c /etc/pihole/setupVars.conf) == 0 ]] ; then
        pw=$(tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c 8)
-        /usr/local/bin/pihole -a -p "${pw}"
+        . /opt/pihole/webpage.sh
+        echo "WEBPASSWORD=$(HashPassword ${pw})" >> ${setupVars}
    fi
  fi