diff options
| author | zeripath <art27@cantab.net> | 2021-12-17 02:03:39 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-12-17 10:03:39 +0800 |
| commit | d29b689f813ee83a4ec3526fbad7fb76a6958cc0 (patch) | |
| tree | 79283195a316f021c0831d7b24834e2052a597d8 /routers | |
| parent | dab28c7049bdcf0da2b5c907e610c6a502fa37ac (diff) | |
| download | gitea-d29b689f813ee83a4ec3526fbad7fb76a6958cc0.tar.gz gitea-d29b689f813ee83a4ec3526fbad7fb76a6958cc0.zip | |
Ensure complexity, minlength and ispwned are checked on password setting (#18005)
It appears that there are several places that password length, complexity and ispwned
are not currently been checked when changing passwords. This PR adds these.
Fix #17977
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Diffstat (limited to 'routers')
| -rw-r--r-- | routers/api/v1/admin/user.go | 5 | ||||
| -rw-r--r-- | routers/web/user/auth.go | 17 |
2 files changed, 21 insertions, 1 deletions
diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go index 44358b4bef..5d2bbdea2f 100644 --- a/routers/api/v1/admin/user.go +++ b/routers/api/v1/admin/user.go @@ -20,6 +20,7 @@ import ( "code.gitea.io/gitea/modules/convert" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/password" + "code.gitea.io/gitea/modules/setting" api "code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/web" "code.gitea.io/gitea/routers/api/v1/user" @@ -173,6 +174,10 @@ func EditUser(ctx *context.APIContext) { } if len(form.Password) != 0 { + if len(form.Password) < setting.MinPasswordLength { + ctx.Error(http.StatusBadRequest, "PasswordTooShort", fmt.Errorf("password must be at least %d characters", setting.MinPasswordLength)) + return + } if !password.IsComplexEnough(form.Password) { err := errors.New("PasswordComplexity") ctx.Error(http.StatusBadRequest, "PasswordComplexity", err) diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go index 178852d3fb..0f1ede85a7 100644 --- a/routers/web/user/auth.go +++ b/routers/web/user/auth.go @@ -1873,8 +1873,23 @@ func MustChangePasswordPost(ctx *context.Context) { ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form) return } + if !password.IsComplexEnough(form.Password) { + ctx.Data["Err_Password"] = true + ctx.RenderWithErr(password.BuildComplexityError(ctx), tplMustChangePassword, &form) + return + } + pwned, err := password.IsPwned(ctx, form.Password) + if pwned { + ctx.Data["Err_Password"] = true + errMsg := ctx.Tr("auth.password_pwned") + if err != nil { + log.Error(err.Error()) + errMsg = ctx.Tr("auth.password_pwned_err") + } + ctx.RenderWithErr(errMsg, tplMustChangePassword, &form) + return + } - var err error if err = u.SetPassword(form.Password); err != nil { ctx.ServerError("UpdateUser", err) return |