It appears that there are several places that password length, complexity and ispwned
are not currently been checked when changing passwords. This PR adds these.
Fix #17977
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
if err := initDB(ctx); err != nil {
return err
}
+ if len(c.String("password")) < setting.MinPasswordLength {
+ return fmt.Errorf("Password is not long enough. Needs to be at least %d", setting.MinPasswordLength)
+ }
+
if !pwd.IsComplexEnough(c.String("password")) {
return errors.New("Password does not meet complexity requirements")
}
"code.gitea.io/gitea/modules/convert"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/password"
+ "code.gitea.io/gitea/modules/setting"
api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/web"
"code.gitea.io/gitea/routers/api/v1/user"
}
if len(form.Password) != 0 {
+ if len(form.Password) < setting.MinPasswordLength {
+ ctx.Error(http.StatusBadRequest, "PasswordTooShort", fmt.Errorf("password must be at least %d characters", setting.MinPasswordLength))
+ return
+ }
if !password.IsComplexEnough(form.Password) {
err := errors.New("PasswordComplexity")
ctx.Error(http.StatusBadRequest, "PasswordComplexity", err)
ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form)
return
}
+ if !password.IsComplexEnough(form.Password) {
+ ctx.Data["Err_Password"] = true
+ ctx.RenderWithErr(password.BuildComplexityError(ctx), tplMustChangePassword, &form)
+ return
+ }
+ pwned, err := password.IsPwned(ctx, form.Password)
+ if pwned {
+ ctx.Data["Err_Password"] = true
+ errMsg := ctx.Tr("auth.password_pwned")
+ if err != nil {
+ log.Error(err.Error())
+ errMsg = ctx.Tr("auth.password_pwned_err")
+ }
+ ctx.RenderWithErr(errMsg, tplMustChangePassword, &form)
+ return
+ }
- var err error
if err = u.SetPassword(form.Password); err != nil {
ctx.ServerError("UpdateUser", err)
return