Issue #777 has been updated by Clément OUDOT. Status changed from New to Assigned Assigned to set to Clément OUDOT Target version set to self-service-password-0.9
---------------------------------------- Bug #777: Self-Service-Password: Not honoring settings for password complexity. http://tools.lsc-project.org/issues/777 Author: Bill Graboyes Status: Assigned Priority: Normal Assigned to: Clément OUDOT Category: Target version: self-service-password-0.9 Hi Folks, Love the product, I did however notice a bug. If the number of password requirements > number of character classes the requirements win. This is not the behavior that was expected. Looking through the code it looks as if the problem stems from the following lines of code in ./lib/functions.inc.php: <pre> function check_password_strength( $password, $oldpassword, $pwd_policy_config ) { extract( $pwd_policy_config ); --snip-- # Complexity: checks for lower, upper, special, digits if ( $pwd_complexity ) { $complex = 0; if ( $special > 0 ) { $complex++; } if ( $digit > 0 ) { $complex++; } if ( $lower > 0 ) { $complex++; } if ( $upper > 0 ) { $complex++; } if ( $complex < $pwd_complexity ) { $result="notcomplex"; } } # Minimal lenght if ( $pwd_min_length and $length < $pwd_min_length ) { $result="tooshort"; } # Maximal lenght if ( $pwd_max_length and $length > $pwd_max_length ) { $result="toobig"; } # Minimal lower chars if ( $pwd_min_lower and $lower < $pwd_min_lower ) { $result="minlower"; } # Minimal upper chars if ( $pwd_min_upper and $upper < $pwd_min_upper ) { $result="minupper"; } # Minimal digit chars if ( $pwd_min_digit and $digit < $pwd_min_digit ) { $result="mindigit"; } # Minimal special chars if ( $pwd_min_special and $special < $pwd_min_special ) { $result="minspecial"; } # Forbidden chars if ( $forbidden > 0 ) { $result="forbiddenchars"; } # Same as old password? if ( $pwd_no_reuse and $password === $oldpassword ) { $result="sameasold"; } return $result; } </pre> If I were to recommend a patch, since you are already calculating the the pwd_complexity it would probably go something like this: <pre> function check_password_strength( $password, $oldpassword, $pwd_policy_config ) { extract( $pwd_policy_config ); --snip-- # Complexity: checks for lower, upper, special, digits if ( $pwd_complexity ) { $complex = 0; if ( $special > 0 ) { $complex++; } if ( $digit > 0 ) { $complex++; } if ( $lower > 0 ) { $complex++; } if ( $upper > 0 ) { $complex++; } if ( $complex < $pwd_complexity ) { $result="notcomplex"; } } else { # Minimal lenght if ( $pwd_min_length and $length < $pwd_min_length ) { $result="tooshort"; } # Maximal lenght if ( $pwd_max_length and $length > $pwd_max_length ) { $result="toobig"; } # Minimal lower chars if ( $pwd_min_lower and $lower < $pwd_min_lower ) { $result="minlower"; } # Minimal upper chars if ( $pwd_min_upper and $upper < $pwd_min_upper ) { $result="minupper"; } # Minimal digit chars if ( $pwd_min_digit and $digit < $pwd_min_digit ) { $result="mindigit"; } # Minimal special chars if ( $pwd_min_special and $special < $pwd_min_special ) { $result="minspecial"; } } # Forbidden chars if ( $forbidden > 0 ) { $result="forbiddenchars"; } # Same as old password? if ( $pwd_no_reuse and $password === $oldpassword ) { $result="sameasold"; } return $result; } </pre> Thanks, tc3driver -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________ ltb-dev mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-dev
