View Issue Details

This bug affects 1 person(s).
 258
IDProjectCategoryView StatusLast Update
19842Bug reportsSecuritypublic2024-12-03 11:41
ReporterMazi Assigned Toc_schmitz  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version6.6.x 
Summary19842: Password requirements do not get applied for users changing their password at their profile - this allows insecure passwords
Description

If I go to my profile to change my password, the hint notes "A password must meet the following requirements: At least 4 characters long.".
Even if I set the password length to 10 at the PasswordRequirement plugin, this does NOT get applied.

Steps To Reproduce

Steps to reproduce

Go to your profile and change your password to abc123

Expected result

Insecure passwords are allowed

Actual result

Apply password rules defined at PasswordRequirement plugin

TagsNo tags attached.
Bug heat258
Complete LimeSurvey version number (& build)6.8.1
I will donate to the project if issue is resolvedNo
BrowserChrome
Database type & versionMySQL/MariaDB
Server OS (if known)Ubuntu 20
Webserver software & version (if known)Apache 2.0
PHP Version8.2

Users monitoring this issue

There are no users monitoring this issue.

Activities

Mazi

Mazi

2024-11-20 09:26

updater   ~81448

@tibor.pacalat: This issue was also reported at the recent pentest results.

DenisChenu

DenisChenu

2024-11-20 09:59

developer   ~81449

Expected result
Insecure passwords are allowed
What ?

I think it must be Apply password rules defined at PasswordRequirement plugin as Expected result, no ?

DenisChenu

DenisChenu

2024-11-20 10:43

developer   ~81453

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=36649

Have a white page here
And don't found the commit on https://github.com/LimeSurvey/LimeSurvey/commits/master/

Mazi

Mazi

2024-11-20 10:44

updater   ~81455

@c_schmitz I think your fix link is wrong here, it seems to be theme related and has nothing to do with the password details?!

c_schmitz

c_schmitz

2024-11-20 10:45

administrator   ~81456

Dudes, give me a breather here. I just corrected it.

c_schmitz

c_schmitz

2024-11-20 12:29

administrator   ~81460

Last edited: 2024-11-20 12:36

Problem is that we have two way of settings password requirement:

1.) Editing personald settings: Setting in config.php using

$config['passwordValidationRules'] = array(
'min' => 4,
'max' => 0,
'lower' => 0,
'upper' => 0,
'numeric' => 0,
'symbol' => 0,
);

2.) Editing a user: PasswordRequirement plugin

We should decide for one of the two ways and remove the other.

If we pick 1.) I think the plugin should be activated by default.

if we pick 2.) then we need to create settings in global settings

DenisChenu

DenisChenu

2024-11-20 13:20

developer   ~81462

We should decide for one of the two ways and remove the other.

PasswordRequirement didn't use passwordValidationRules for default if not edited ?

It's the default behavior of Global Settings currently

  1. Get for config-default
  2. Get for config if exist
  3. Get from DB if exist

I think it's the best way, no ?

c_schmitz

c_schmitz

2024-11-20 14:24

administrator   ~81464

No, as far as I can see passwordvalidation rules are not used anywhere else but in personal settings.

Mazi

Mazi

2024-11-20 15:10

updater   ~81466

I also vote for checking config-defaults, overwrite by config.php, overwrite by plugin. That's how it usually works.
In general, the plugin is easier to use for admins compared to changing config files. So that would be my preferred solution.

c_schmitz

c_schmitz

2024-11-20 16:55

administrator   ~81471

https://github.com/LimeSurvey/LimeSurvey/pull/4048

DenisChenu

DenisChenu

2024-11-20 17:00

developer   ~81472

Looking at code : seems plugins and core do the same things ?

c_schmitz

c_schmitz

2024-11-20 17:02

administrator   ~81473

yeah. that's what I meant.

c_schmitz

c_schmitz

2024-11-20 17:04

administrator   ~81474

I refactored it so the core code is used everywhere and it is also calling the plugin event.

DenisChenu

DenisChenu

2024-11-20 17:07

developer   ~81475

Your update was great

LimeBot

LimeBot

2024-12-03 11:41

administrator   ~81558

Fixed in Release 6.8.2+241203

Issue History

Date Modified Username Field Change
2024-11-20 09:25 Mazi New Issue
2024-11-20 09:26 Mazi Note Added: 81448
2024-11-20 09:26 Mazi Bug heat 250 => 252
2024-11-20 09:59 DenisChenu Note Added: 81449
2024-11-20 09:59 DenisChenu Bug heat 252 => 254
2024-11-20 10:42 c_schmitz Changeset attached => LimeSurvey master 8f701c35
2024-11-20 10:42 c_schmitz Assigned To => c_schmitz
2024-11-20 10:42 c_schmitz Resolution open => fixed
2024-11-20 10:42 c_schmitz Bug heat 254 => 256
2024-11-20 10:43 DenisChenu Note Added: 81453
2024-11-20 10:44 c_schmitz Bug heat 256 => 254
2024-11-20 10:44 Mazi Note Added: 81455
2024-11-20 10:45 c_schmitz Note Added: 81456
2024-11-20 10:45 c_schmitz Bug heat 254 => 256
2024-11-20 12:06 c_schmitz Changeset removed LimeSurvey master 8f701c35 =>
2024-11-20 12:29 c_schmitz Note Added: 81460
2024-11-20 12:31 c_schmitz Note Edited: 81460
2024-11-20 12:36 c_schmitz Note Edited: 81460
2024-11-20 13:20 DenisChenu Note Added: 81462
2024-11-20 14:24 c_schmitz Note Added: 81464
2024-11-20 15:10 Mazi Note Added: 81466
2024-11-20 16:55 c_schmitz Status new => ready for code review
2024-11-20 16:55 c_schmitz Note Added: 81471
2024-11-20 17:00 DenisChenu Note Added: 81472
2024-11-20 17:02 c_schmitz Note Added: 81473
2024-11-20 17:04 c_schmitz Note Added: 81474
2024-11-20 17:07 DenisChenu Note Added: 81475
2024-11-25 18:37 tibor.pacalat Status ready for code review => resolved
2024-12-03 11:41 LimeBot Note Added: 81558
2024-12-03 11:41 LimeBot Status resolved => closed
2024-12-03 11:41 LimeBot Bug heat 256 => 258