Author: ryan.lane
Description:
In function processLogin in SpecialUserlogin.php, we create accounts
automatically if the external plugin allows it, but we do not check to see if
the password given is valid or not.
This allows users to create accounts with passwords that are shorter than
$wgMinimalPasswordLength. After the user creates the account, the user cannot
log in.
Also, in function addNewAccountInternal, we do not declare the global
$wgMinimalPasswordLength before use.
Below is a patch to fix these two problems.
- SpecialUserlogin.php.old 2005-11-25 14:49:28.690823592 -0600
+++ SpecialUserlogin.php 2005-11-25 14:57:37.073578128 -0600
@@ -161,11 +161,11 @@
*/ function addNewAccountInternal() { global $wgUser, $wgOut; global $wgUseLatin1, $wgEnableSorbs, $wgProxyWhitelist; global $wgMemc, $wgAccountCreationThrottle, $wgDBname, $wgIP;
- global $wgAuth;
+ global $wgAuth, $wgMinimalPasswordLength;
// If the user passes an invalid domain, something is fishy if( !$wgAuth->validDomain( $this->mDomain ) ) { $this->mainLoginForm( wfMsg( 'wrongpassword' ) ); return false;
@@ -288,17 +288,21 @@
if( is_null( $u ) ) { $this->mainLoginForm( wfMsg( 'noname' ) ); return; } if ( 0 == $u->getID() ) {
- global $wgAuth;
+ global $wgAuth, $wgMinimalPasswordLength;
/** * If the external authentication plugin allows it, * automatically create a new account for users that * are externally defined but have not yet logged in. */ if ( $wgAuth->autoCreate() && $wgAuth->userExists( $u->g etName() ) ) {
+ if ( !$wgUser->isValidPassword( $this->mPassword
) ) {
+ $this->mainLoginForm( wfMsg( 'passwordto
oshort', $wgMinimalPasswordLength ) );
+ return;
+ }
if ( $wgAuth->authenticate( $u->getName(), $this ->mPassword ) ) { $u =& $this->initUser( $u ); } else { $this->mainLoginForm( wfMsg( 'wrongpassw ord' ) ); return;
Version: 1.5.x
Severity: major