Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
sec(Users) limit password length and eliminate unused parameter
  • Loading branch information
joebordes committed Nov 21, 2021
1 parent 7f17a33 commit 15788f3
Show file tree
Hide file tree
Showing 6 changed files with 7 additions and 6 deletions.
3 changes: 2 additions & 1 deletion include/Webservices/ChangePassword.php
Expand Up @@ -47,7 +47,8 @@ function vtws_changePassword($id, $oldPassword, $newPassword, $confirmPassword,
$db = PearDatabase::getInstance();
$db->dieOnError = false;
$db->startTransaction();
$success = $newUser->change_password($oldPassword, $newPassword, false);
$newPassword = substr($newPassword, 0, 1024);
$success = $newUser->change_password($oldPassword, $newPassword);
$error = $db->hasFailedTransaction();
$db->completeTransaction();
VTWS_PreserveGlobal::flush();
Expand Down
3 changes: 1 addition & 2 deletions modules/Home/Homestuff.php
Expand Up @@ -16,8 +16,7 @@

if (!empty($_REQUEST['stufftitle'])) {
if (strlen($_REQUEST['stufftitle'])>100) {
$temp_str = substr($_REQUEST['stufftitle'], 0, 97).'...';
$oHomestuff->stufftitle= $temp_str;
$oHomestuff->stufftitle= vtlib_purify(substr($_REQUEST['stufftitle'], 0, 97)).'...';
} else {
$oHomestuff->stufftitle = vtlib_purify($_REQUEST['stufftitle']);
}
Expand Down
1 change: 1 addition & 0 deletions modules/Users/ChangePassword.js
Expand Up @@ -106,6 +106,7 @@ function changepassword(is_admin, userid) {
document.getElementById('err_msg').innerHTML = err_msg;
return;
}
new_password = new_password.substring(0, 1024);
let password = corebos_Password.passwordChecker(new_password);
if (!password) {
err_msg = alert_arr['PASSWORD REQUIREMENTS NOT MET'];
Expand Down
2 changes: 1 addition & 1 deletion modules/Users/Save.php
Expand Up @@ -87,7 +87,7 @@
if (isset($_REQUEST['changepassword']) && $_REQUEST['changepassword'] == 'true') {
$focus->retrieve_entity_info($_REQUEST['record'], 'Users');
$focus->id = vtlib_purify($_REQUEST['record']);
if (isset($_REQUEST['new_password']) && !$focus->change_password(vtlib_purify($_REQUEST['old_password']), vtlib_purify($_REQUEST['new_password']))) {
if (isset($_REQUEST['new_password']) && !$focus->change_password(vtlib_purify($_REQUEST['old_password']), vtlib_purify(substr($_REQUEST['new_password'], 0, 1024)))) {
header('Location: index.php?action=DetailView&module=Users&record='.$focus->id.'&error_string='.urlencode($focus->error_string));
exit;
}
Expand Down
2 changes: 1 addition & 1 deletion modules/Users/Users.php
Expand Up @@ -522,7 +522,7 @@ public function get_user_crypt_type() {
* @param string new password
* @return boolean If passwords pass verification and query succeeds, return true, else return false
*/
public function change_password($user_password, $new_password, $dieOnError = true) {
public function change_password($user_password, $new_password) {
global $current_user, $log, $adb;
$usr_name = $this->column_fields['user_name'];
$log->debug("Starting password change for $usr_name");
Expand Down
2 changes: 1 addition & 1 deletion modules/Vtiger/ExecuteFunctions.php
Expand Up @@ -479,7 +479,7 @@
$focus->mode='edit';
$focus->id = $userid;
$focus->retrieve_entity_info($userid, 'Users');
$ret = $focus->change_password('old_password', vtlib_purify($_REQUEST['new_password']));
$ret = $focus->change_password('old_password', vtlib_purify(substr($_REQUEST['new_password'], 0, 1024)));
if ($ret) {
$ret = array('password'=>$ret);
} else {
Expand Down

0 comments on commit 15788f3

Please sign in to comment.