Also limit the password length on reset

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index 4c4a12355d22f0af6c60ad28ee664989ed9d22e5..386987842c2ebab97a56d406dd21cefc3612e484 100644 (file)
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -121,7 +121,7 @@ class LoginController extends Controller {
 
                $response = new RedirectResponse($this->urlGenerator->linkToRouteAbsolute(
                        'core.login.showLoginForm',
-                       ['clear' => true] // this param the the code in login.js may be removed when the "Clear-Site-Data" is working in the browsers
+                       ['clear' => true] // this param the code in login.js may be removed when the "Clear-Site-Data" is working in the browsers
                ));
 
                $this->session->set('clearingExecutionContexts', '1');

diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
index fadfa242b939e1e74f5b7e824f90aabea8daf436..e7960dbcef5824acd347a7de8ca834b3f740b65c 100644 (file)
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@@ -240,6 +240,10 @@ class LostController extends Controller {
                        $this->eventDispatcher->dispatchTyped(new BeforePasswordResetEvent($user, $password));
                        \OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'pre_passwordReset', ['uid' => $userId, 'password' => $password]);
 
+                       if (strlen($password) > 469) {
+                               throw new HintException('Password too long', $this->l10n->t('Password is too long. Maximum allowed length is 469 characters.'));
+                       }
+
                        if (!$user->setPassword($password)) {
                                throw new Exception();
                        }