View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
19842 | Bug reports | Security | public | 2024-11-20 09:25 | 2024-11-25 18:37 |
Reporter | Mazi | Assigned To | c_schmitz | ||
Priority | none | Severity | minor | ||
Status | resolved | Resolution | fixed | ||
Product Version | 6.6.x | ||||
Summary | 19842: Password requirements do not get applied for users changing their password at their profile - this allows insecure passwords | ||||
Description | If I go to my profile to change my password, the hint notes "A password must meet the following requirements: At least 4 characters long.". | ||||
Steps To Reproduce | Steps to reproduceGo to your profile and change your password to abc123 Expected resultInsecure passwords are allowed Actual resultApply password rules defined at PasswordRequirement plugin | ||||
Tags | No tags attached. | ||||
Bug heat | 256 | ||||
Complete LimeSurvey version number (& build) | 6.8.1 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | Chrome | ||||
Database type & version | MySQL/MariaDB | ||||
Server OS (if known) | Ubuntu 20 | ||||
Webserver software & version (if known) | Apache 2.0 | ||||
PHP Version | 8.2 | ||||
@tibor.pacalat: This issue was also reported at the recent pentest results. |
|
I think it must be Apply password rules defined at PasswordRequirement plugin as Expected result, no ? |
|
Have a white page here |
|
@c_schmitz I think your fix link is wrong here, it seems to be theme related and has nothing to do with the password details?! |
|
Dudes, give me a breather here. I just corrected it. |
|
Problem is that we have two way of settings password requirement: 1.) Editing personald settings: Setting in config.php using $config['passwordValidationRules'] = array( 2.) Editing a user: PasswordRequirement plugin We should decide for one of the two ways and remove the other. If we pick 1.) I think the plugin should be activated by default. if we pick 2.) then we need to create settings in global settings |
|
PasswordRequirement didn't use passwordValidationRules for default if not edited ? It's the default behavior of Global Settings currently
I think it's the best way, no ? |
|
No, as far as I can see passwordvalidation rules are not used anywhere else but in personal settings. |
|
I also vote for checking config-defaults, overwrite by config.php, overwrite by plugin. That's how it usually works. |
|
Looking at code : seems plugins and core do the same things ? |
|
yeah. that's what I meant. |
|
I refactored it so the core code is used everywhere and it is also calling the plugin event. |
|
Your update was great |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2024-11-20 09:25 | Mazi | New Issue | |
2024-11-20 09:26 | Mazi | Note Added: 81448 | |
2024-11-20 09:26 | Mazi | Bug heat | 250 => 252 |
2024-11-20 09:59 | DenisChenu | Note Added: 81449 | |
2024-11-20 09:59 | DenisChenu | Bug heat | 252 => 254 |
2024-11-20 10:42 | c_schmitz | Changeset attached | => LimeSurvey master 8f701c35 |
2024-11-20 10:42 | c_schmitz | Assigned To | => c_schmitz |
2024-11-20 10:42 | c_schmitz | Resolution | open => fixed |
2024-11-20 10:42 | c_schmitz | Bug heat | 254 => 256 |
2024-11-20 10:43 | DenisChenu | Note Added: 81453 | |
2024-11-20 10:44 | c_schmitz | Bug heat | 256 => 254 |
2024-11-20 10:44 | Mazi | Note Added: 81455 | |
2024-11-20 10:45 | c_schmitz | Note Added: 81456 | |
2024-11-20 10:45 | c_schmitz | Bug heat | 254 => 256 |
2024-11-20 12:06 | c_schmitz | Changeset removed | LimeSurvey master 8f701c35 => |
2024-11-20 12:29 | c_schmitz | Note Added: 81460 | |
2024-11-20 12:31 | c_schmitz | Note Edited: 81460 | |
2024-11-20 12:36 | c_schmitz | Note Edited: 81460 | |
2024-11-20 13:20 | DenisChenu | Note Added: 81462 | |
2024-11-20 14:24 | c_schmitz | Note Added: 81464 | |
2024-11-20 15:10 | Mazi | Note Added: 81466 | |
2024-11-20 16:55 | c_schmitz | Status | new => ready for code review |
2024-11-20 16:55 | c_schmitz | Note Added: 81471 | |
2024-11-20 17:00 | DenisChenu | Note Added: 81472 | |
2024-11-20 17:02 | c_schmitz | Note Added: 81473 | |
2024-11-20 17:04 | c_schmitz | Note Added: 81474 | |
2024-11-20 17:07 | DenisChenu | Note Added: 81475 | |
2024-11-25 18:37 | tibor.pacalat | Status | ready for code review => resolved |