Don't allow setting password bigger than 469 characters

Signed-off-by: Carl Schwan <carl@carlschwan.eu>
author: Carl Schwan <carl@carlschwan.eu> 2022-07-05 11:47:25 +0200
committer: Carl Schwan <carl@carlschwan.eu> 2022-07-05 11:47:25 +0200
commit: f99a06c89a116cbc447b5fb5d2ec27462b9fba51 (patch)
tree: 7d40b7a5cbe861549f4f024795b54ba716076207 /apps
parent: 1c23c029af1ef83935badb8b63cb4dffac59b1e4 (diff)
download: nextcloud-server-f99a06c89a116cbc447b5fb5d2ec27462b9fba51.tar.gz
nextcloud-server-f99a06c89a116cbc447b5fb5d2ec27462b9fba51.zip
3 files changed, 12 insertions, 1 deletions
diff --git a/apps/settings/lib/Controller/ChangePasswordController.php b/apps/settings/lib/Controller/ChangePasswordController.php
index 7c3ab9546bc..41f2584721c 100644
--- a/apps/settings/lib/Controller/ChangePasswordController.php
+++ b/apps/settings/lib/Controller/ChangePasswordController.php
@@ -107,7 +107,7 @@ class ChangePasswordController extends Controller {
 		}
 
 		try {
-			if ($newpassword === null || $user->setPassword($newpassword) === false) {
+			if ($newpassword === null || strlen($newpassword) > 469 || $user->setPassword($newpassword) === false) {
 				return new JSONResponse([
 					'status' => 'error',
 					'data' => [
@@ -158,6 +158,15 @@ class ChangePasswordController extends Controller {
 			]);
 		}
 
+		if (strlen($password) > 469) {
+			return new JSONResponse([
+				'status' => 'error',
+				'data' => [
+					'message' => $this->l->t('Unable to change password. Password too long.'),
+				],
+			]);
+		}
+
 		$currentUser = $this->userSession->getUser();
 		$targetUser = $this->userManager->get($username);
 		if ($currentUser === null || $targetUser === null ||
diff --git a/apps/settings/src/components/UserList/UserRow.vue b/apps/settings/src/components/UserList/UserRow.vue
index de0a09f2221..f2947019f40 100644
--- a/apps/settings/src/components/UserList/UserRow.vue
+++ b/apps/settings/src/components/UserList/UserRow.vue
@@ -107,6 +107,7 @@
 				ref="password"
 				:disabled="loading.password || loading.all"
 				:minlength="minPasswordLength"
+				maxlength="469"
 				:placeholder="t('settings', 'Add new password')"
 				autocapitalize="off"
 				autocomplete="new-password"
diff --git a/apps/settings/templates/settings/personal/security/password.php b/apps/settings/templates/settings/personal/security/password.php
index 88536ab6b23..85959e252cc 100644
--- a/apps/settings/templates/settings/personal/security/password.php
+++ b/apps/settings/templates/settings/personal/security/password.php
@@ -46,6 +46,7 @@ if ($_['passwordChangeSupported']) {
 				<div class="personal-show-container">
 					<label for="pass2" class="hidden-visually"><?php p($l->t('New password'));?>: </label>
 					<input type="password" id="pass2" name="newpassword"
+						   maxlength="469"
 						   placeholder="<?php p($l->t('New password')); ?>"
 						   data-typetoggle="#personal-show"
 						   autocomplete="new-password" autocapitalize="none" autocorrect="off" />
author	Carl Schwan <carl@carlschwan.eu>	2022-07-05 11:47:25 +0200
committer	Carl Schwan <carl@carlschwan.eu>	2022-07-05 11:47:25 +0200
commit	f99a06c89a116cbc447b5fb5d2ec27462b9fba51 (patch)
tree	7d40b7a5cbe861549f4f024795b54ba716076207 /apps
parent	1c23c029af1ef83935badb8b63cb4dffac59b1e4 (diff)
download	nextcloud-server-f99a06c89a116cbc447b5fb5d2ec27462b9fba51.tar.gz nextcloud-server-f99a06c89a116cbc447b5fb5d2ec27462b9fba51.zip