From e318925f621fe97d2500e0176dd6436ab8e9fb8a Mon Sep 17 00:00:00 2001
From: Krishna Srinivas <krishna.srinivas@gmail.com>
Date: Wed, 30 Mar 2016 15:17:20 +0530
Subject: [PATCH] credentials: min/max length check for credentials.

---
 access-key.go   | 4 ++--
 web-handlers.go | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/access-key.go b/access-key.go
index 72de0f858..2e141e645 100644
--- a/access-key.go
+++ b/access-key.go
@@ -44,10 +44,10 @@ const (
 )
 
 // isValidSecretKey - validate secret key.
-var isValidSecretKey = regexp.MustCompile("^.{40}$")
+var isValidSecretKey = regexp.MustCompile("^.{8,40}$")
 
 // isValidAccessKey - validate access key.
-var isValidAccessKey = regexp.MustCompile("^[A-Z0-9\\-\\.\\_\\~]{20}$")
+var isValidAccessKey = regexp.MustCompile("^[a-zA-Z0-9\\-\\.\\_\\~]{5,20}$")
 
 // mustGenAccessKeys - must generate access credentials.
 func mustGenAccessKeys() (creds credential) {
diff --git a/web-handlers.go b/web-handlers.go
index 32d055714..e04aeb38e 100644
--- a/web-handlers.go
+++ b/web-handlers.go
@@ -311,11 +311,11 @@ func (web *webAPI) SetAuth(r *http.Request, args *SetAuthArgs, reply *SetAuthRep
 	if !isJWTReqAuthenticated(r) {
 		return &json2.Error{Message: "Unauthorized request"}
 	}
-	if args.AccessKey == "" {
-		return &json2.Error{Message: "Empty access key not allowed"}
+	if !isValidAccessKey.MatchString(args.AccessKey) {
+		return &json2.Error{Message: "Invalid Access Key"}
 	}
-	if args.SecretKey == "" {
-		return &json2.Error{Message: "Empty secret key not allowed"}
+	if !isValidSecretKey.MatchString(args.SecretKey) {
+		return &json2.Error{Message: "Invalid Secret Key"}
 	}
 	cred := credential{args.AccessKey, args.SecretKey}
 	serverConfig.SetCredential(cred)