6.0.0-alpha12
6/12/25

[#9130] Invalid characters allowed in new password
Summary Invalid characters allowed in new password
Queue Passwd
Queue Version 3.1
Type Enhancement
State Resolved
Priority 2. Medium
Owners jan (at) horde (dot) org
Requester Valentin.Vidic (at) carnet (dot) hr
Created 07/08/2010 (5453 days ago)
Due
Updated 10/25/2010 (5344 days ago)
Assigned
Resolved 10/25/2010 (5344 days ago)
Milestone
Patch Yes

History
10/25/2010 12:48:28 PM Jan Schneider State ⇒ Resolved
 
10/25/2010 12:47:39 PM CVS Commit Comment #6 Reply to this comment
Changes have been made in CVS for this ticket:

Fix class name (Bug #9130).
http://cvs.horde.org/diff.php/passwd/main.php?rt=horde&r1=1.67.2.11&r2=1.67.2.12&ty=u
10/25/2010 12:40:54 PM Valentin (dot) Vidic (at) carnet (dot) hr Comment #5 Reply to this comment
I slightly changed it to not allow multi-byte characters at all. Please test.
Trying to change password produces the following error:

Fatal error: Class 'Horde_String' not found in passwd/main.php on line 92

But after changing the call to String::length($new_password0) it seems 
to work - UTF8 chars are not allowed in the password.
10/21/2010 04:34:18 PM Jan Schneider Comment #4
Assigned to Jan Schneider
State ⇒ Feedback
Reply to this comment
I slightly changed it to not allow multi-byte characters at all. Please test.
10/21/2010 04:26:14 PM CVS Commit Comment #2 Reply to this comment
Changes have been made in CVS for this ticket:

[jan] Verify that new passwords don't contain any invalid (non-ascii)
characters (Valentin Vidic, Request #9130).
http://cvs.horde.org/diff.php/passwd/docs/CHANGES?rt=horde&r1=1.119&r2=1.120&ty=u
http://cvs.horde.org/diff.php/passwd/main.php?rt=horde&r1=1.84&r2=1.85&ty=u
07/08/2010 03:44:43 PM Valentin (dot) Vidic (at) carnet (dot) hr Comment #1
Priority ⇒ 2. Medium
Type ⇒ Enhancement
Summary ⇒ Invalid characters allowed in new password
Queue ⇒ Passwd
Milestone ⇒
Patch ⇒ Yes
New Attachment: passwd.diff Download
State ⇒ New
Reply to this comment
Passwd doesn't check if the new password contains characters other 
than alpha, num, space and symbol so some of our users ended up with 
passwords containing UTF8 characters. Since passwords are often used 
in various different applications this is not a good idea. Attached is 
a patch that introduces a counter for characters not matched by other 
ctype classes. In addition to this password charset has to be taken 
into account in order to split into characters correctly.

Saved Queries