fix: added missing check on password length

thorsten · Jan 23, 2023 · 00c0409 · 00c0409
1 parent edf0f6f
commit 00c0409
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 4 deletions.
diff --git a/phpmyfaq/admin/ajax.user.php b/phpmyfaq/admin/ajax.user.php
@@ -120,6 +120,7 @@
             $userName = Filter::filterVar($postData['userName'], FILTER_UNSAFE_RAW);
             $userRealName = Filter::filterVar($postData['realName'], FILTER_UNSAFE_RAW);
             $userEmail = Filter::filterVar($postData['email'], FILTER_VALIDATE_EMAIL);
+            $automaticPassword = Filter::filterVar($postData['automaticPassword'], FILTER_VALIDATE_BOOLEAN);
             $userPassword = Filter::filterVar($postData['password'], FILTER_UNSAFE_RAW);
             $userPasswordConfirm = Filter::filterVar($postData['passwordConfirm'], FILTER_UNSAFE_RAW);
             $userIsSuperAdmin = Filter::filterVar($postData['isSuperAdmin'], FILTER_VALIDATE_BOOLEAN);
@@ -138,6 +139,12 @@
             if (is_null($userEmail)) {
                 $errorMessage[] = $PMF_LANG['ad_user_error_noEmail'];
             }
+            if (!$automaticPassword) {
+                if (strlen($userPassword) <= 7 || strlen($userPasswordConfirm) <= 7) {
+                    $errorMessage[] = $PMF_LANG['ad_passwd_fail'];
+                }
+            }
+
             if (count($errorMessage) === 0) {
                 if (!$newUser->createUser($userName, $userPassword)) {
                     $errorMessage[] = $newUser->error();
@@ -204,6 +211,12 @@
                 exit(1);
             }
 
+            if (strlen($newPassword) <= 7 || strlen($retypedPassword) <= 7) {
+                $http->setStatus(400);
+                $http->sendJsonWithHeaders(['error' => $PMF_LANG['ad_passwd_fail']]);
+                exit(1);
+            }
+
             $user->getUserById($userId, true);
             $auth = new Auth($faqConfig);
             $authSource = $auth->selectAuth($user->getAuthSource('name'));

diff --git a/phpmyfaq/admin/assets/js/user.js b/phpmyfaq/admin/assets/js/user.js
@@ -157,6 +157,7 @@ document.addEventListener('DOMContentLoaded', () => {
       const userName = document.getElementById('add_user_name').value;
       const realName = document.getElementById('add_user_realname').value;
       const email = document.getElementById('add_user_email').value;
+      const automaticPassword = document.getElementById('add_user_automatic_password').checked;
       const password = document.getElementById('add_user_password').value;
       const passwordConfirm = document.getElementById('add_user_password_confirm').value;
       const isSuperAdmin = document.querySelector('#add_user_is_superadmin').checked;
@@ -167,6 +168,7 @@ document.addEventListener('DOMContentLoaded', () => {
         userName,
         realName,
         email,
+        automaticPassword,
         password,
         passwordConfirm,
         isSuperAdmin,

diff --git a/phpmyfaq/admin/user.php b/phpmyfaq/admin/user.php
@@ -444,7 +444,8 @@ class="form-check-input permission">
                       <?= $PMF_LANG['ad_passwd_new'] ?>
                   </label>
                   <div class="col-lg-8">
-                    <input type="password" autocomplete="off" name="npass" id="npass" class="form-control" required>
+                    <input type="password" autocomplete="off" name="npass" id="npass" class="form-control" minlength="8"
+                           required>
                   </div>
                 </div>
 
@@ -453,7 +454,8 @@ class="form-check-input permission">
                       <?= $PMF_LANG['ad_passwd_con'] ?>
                   </label>
                   <div class="col-lg-8">
-                    <input type="password" autocomplete="off" name="bpass" id="bpass" class="form-control" required>
+                    <input type="password" autocomplete="off" name="bpass" id="bpass" class="form-control" minlength="8"
+                           required>
                   </div>
                 </div>
 
@@ -684,7 +686,7 @@ class="form-control">
                        for="add_user_password"><?= $PMF_LANG['ad_adus_password'] ?></label>
                 <div class="col-lg-8">
                   <input type="password" name="add_user_password" id="add_user_password" class="form-control"
-                         autocomplete="off" tabindex="4">
+                         minlength="8" autocomplete="off" tabindex="4">
                 </div>
               </div>
 
@@ -693,7 +695,7 @@ class="form-control">
                        for="add_user_password_confirm"><?= $PMF_LANG['ad_passwd_con'] ?></label>
                 <div class="col-lg-8">
                   <input type="password" name="add_user_password_confirm" id="add_user_password_confirm"
-                         class="form-control" autocomplete="off" tabindex="5">
+                         minlength="8" class="form-control" autocomplete="off" tabindex="5">
                 </div>
               </div>
             </div>