diff options
| author | zeripath <art27@cantab.net> | 2021-12-17 02:03:39 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-12-17 10:03:39 +0800 |
| commit | d29b689f813ee83a4ec3526fbad7fb76a6958cc0 (patch) | |
| tree | 79283195a316f021c0831d7b24834e2052a597d8 /routers/web/user/auth.go | |
| parent | dab28c7049bdcf0da2b5c907e610c6a502fa37ac (diff) | |
| download | gitea-d29b689f813ee83a4ec3526fbad7fb76a6958cc0.tar.gz gitea-d29b689f813ee83a4ec3526fbad7fb76a6958cc0.zip | |
Ensure complexity, minlength and ispwned are checked on password setting (#18005)
It appears that there are several places that password length, complexity and ispwned
are not currently been checked when changing passwords. This PR adds these.
Fix #17977
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Diffstat (limited to 'routers/web/user/auth.go')
| -rw-r--r-- | routers/web/user/auth.go | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go index 178852d3fb..0f1ede85a7 100644 --- a/routers/web/user/auth.go +++ b/routers/web/user/auth.go @@ -1873,8 +1873,23 @@ func MustChangePasswordPost(ctx *context.Context) { ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form) return } + if !password.IsComplexEnough(form.Password) { + ctx.Data["Err_Password"] = true + ctx.RenderWithErr(password.BuildComplexityError(ctx), tplMustChangePassword, &form) + return + } + pwned, err := password.IsPwned(ctx, form.Password) + if pwned { + ctx.Data["Err_Password"] = true + errMsg := ctx.Tr("auth.password_pwned") + if err != nil { + log.Error(err.Error()) + errMsg = ctx.Tr("auth.password_pwned_err") + } + ctx.RenderWithErr(errMsg, tplMustChangePassword, &form) + return + } - var err error if err = u.SetPassword(form.Password); err != nil { ctx.ServerError("UpdateUser", err) return |