Issue #777 has been reported by Bill Graboyes.
----------------------------------------
Bug #777: Self-Service-Password: Not honoring settings for password complexity.
http://tools.lsc-project.org/issues/777
Author: Bill Graboyes
Status: New
Priority: Normal
Assigned to:
Category:
Target version:
Hi Folks,
Love the product, I did however notice a bug.
If the number of password requirements > number of character classes the
requirements win. This is not the behavior that was expected.
Looking through the code it looks as if the problem stems from the following
lines of code in ./lib/functions.inc.php:
<pre>
function check_password_strength( $password, $oldpassword, $pwd_policy_config )
{
extract( $pwd_policy_config );
--snip--
# Complexity: checks for lower, upper, special, digits
if ( $pwd_complexity ) {
$complex = 0;
if ( $special > 0 ) { $complex++; }
if ( $digit > 0 ) { $complex++; }
if ( $lower > 0 ) { $complex++; }
if ( $upper > 0 ) { $complex++; }
if ( $complex < $pwd_complexity ) { $result="notcomplex"; }
}
# Minimal lenght
if ( $pwd_min_length and $length < $pwd_min_length ) { $result="tooshort"; }
# Maximal lenght
if ( $pwd_max_length and $length > $pwd_max_length ) { $result="toobig"; }
# Minimal lower chars
if ( $pwd_min_lower and $lower < $pwd_min_lower ) { $result="minlower"; }
# Minimal upper chars
if ( $pwd_min_upper and $upper < $pwd_min_upper ) { $result="minupper"; }
# Minimal digit chars
if ( $pwd_min_digit and $digit < $pwd_min_digit ) { $result="mindigit"; }
# Minimal special chars
if ( $pwd_min_special and $special < $pwd_min_special ) {
$result="minspecial"; }
# Forbidden chars
if ( $forbidden > 0 ) { $result="forbiddenchars"; }
# Same as old password?
if ( $pwd_no_reuse and $password === $oldpassword ) { $result="sameasold"; }
return $result;
}
</pre>
If I were to recommend a patch, since you are already calculating the the
pwd_complexity it would probably go something like this:
<pre>
function check_password_strength( $password, $oldpassword, $pwd_policy_config )
{
extract( $pwd_policy_config );
--snip--
# Complexity: checks for lower, upper, special, digits
if ( $pwd_complexity ) {
$complex = 0;
if ( $special > 0 ) { $complex++; }
if ( $digit > 0 ) { $complex++; }
if ( $lower > 0 ) { $complex++; }
if ( $upper > 0 ) { $complex++; }
if ( $complex < $pwd_complexity ) { $result="notcomplex"; }
}
else {
# Minimal lenght
if ( $pwd_min_length and $length < $pwd_min_length ) {
$result="tooshort"; }
# Maximal lenght
if ( $pwd_max_length and $length > $pwd_max_length ) {
$result="toobig"; }
# Minimal lower chars
if ( $pwd_min_lower and $lower < $pwd_min_lower ) { $result="minlower";
}
# Minimal upper chars
if ( $pwd_min_upper and $upper < $pwd_min_upper ) { $result="minupper";
}
# Minimal digit chars
if ( $pwd_min_digit and $digit < $pwd_min_digit ) { $result="mindigit";
}
# Minimal special chars
if ( $pwd_min_special and $special < $pwd_min_special ) {
$result="minspecial"; }
}
# Forbidden chars
if ( $forbidden > 0 ) { $result="forbiddenchars"; }
# Same as old password?
if ( $pwd_no_reuse and $password === $oldpassword ) { $result="sameasold"; }
return $result;
}
</pre>
Thanks,
tc3driver
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://tools.lsc-project.org/my/account
_______________________________________________
ltb-dev mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-dev
