r79034 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r79033‎ | r79034 | r79035 >
Date:22:55, 26 December 2010
Author:platonides
Status:ok (Comments)
Tags:
Comment:
Revert r75588 and r77381. Block just the tainted pairs of username/passwords until a proper solution for weak passwords is added, hopefully for 1.18.
Modified paths:
  • /trunk/phase3/includes/DefaultSettings.php (modified) (history)
  • /trunk/phase3/includes/User.php (modified) (history)
  • /trunk/phase3/languages/messages/MessagesEn.php (modified) (history)
  • /trunk/phase3/maintenance/language/messages.inc (modified) (history)

Diff [purge]

Index: trunk/phase3/maintenance/language/messages.inc
@@ -451,7 +451,7 @@
452452 'wrongpasswordempty',
453453 'passwordtooshort',
454454 'password-name-match',
455 - 'password-too-weak',
 455+ 'password-login-forbidden',
456456 'mailmypassword',
457457 'passwordremindertitle',
458458 'passwordremindertext',
Index: trunk/phase3/includes/User.php
@@ -602,22 +602,25 @@
603603 * @return mixed: true on success, string of error message on failure
604604 */
605605 function getPasswordValidity( $password ) {
606 - global $wgMinimalPasswordLength, $wgWeakPasswords, $wgContLang;
 606+ global $wgMinimalPasswordLength, $wgContLang;
 607+
 608+ static $blockedLogins = array(
 609+ 'Useruser' => 'Passpass', 'Useruser1' => 'Passpass1', # r75589
 610+ 'Apitestsysop' => 'testpass', 'Apitestuser' => 'testpass' # r75605
 611+ );
607612
608613 $result = false; //init $result to false for the internal checks
609614
610615 if( !wfRunHooks( 'isValidPassword', array( $password, &$result, $this ) ) )
611616 return $result;
612617
613 - $lcPassword = $wgContLang->lc( $password );
614 -
615618 if ( $result === false ) {
616619 if( strlen( $password ) < $wgMinimalPasswordLength ) {
617620 return 'passwordtooshort';
618 - } elseif ( $lcPassword == $wgContLang->lc( $this->mName ) ) {
 621+ } elseif ( $wgContLang->lc( $password ) == $wgContLang->lc( $this->mName ) ) {
619622 return 'password-name-match';
620 - } elseif ( in_array( $lcPassword, $wgWeakPasswords ) ) {
621 - return 'password-too-weak';
 623+ } elseif ( isset( $blockedLogins[ $this->getName() ] ) && $password == $blockedLogins[ $this->getName() ] ) {
 624+ return 'password-login-forbidden';
622625 } else {
623626 //it seems weird returning true here, but this is because of the
624627 //initialization of $result to false above. If the hook is never run or it
@@ -2778,6 +2781,15 @@
27792782 global $wgAuth;
27802783 $this->load();
27812784
 2785+ // Even though we stop people from creating passwords that
 2786+ // are shorter than this, doesn't mean people wont be able
 2787+ // to. Certain authentication plugins do NOT want to save
 2788+ // domain passwords in a mysql database, so we should
 2789+ // check this (in case $wgAuth->strict() is false).
 2790+ if( !$this->isValidPassword( $password ) ) {
 2791+ return false;
 2792+ }
 2793+
27822794 if( $wgAuth->authenticate( $this->getName(), $password ) ) {
27832795 return true;
27842796 } elseif( $wgAuth->strict() ) {
Index: trunk/phase3/includes/DefaultSettings.php
@@ -2883,12 +2883,6 @@
28842884 $wgLivePasswordStrengthChecks = false;
28852885
28862886 /**
2887 - * List of weak passwords which shouldn't be allowed.
2888 - * The items should be in lowercase. The check is case insensitive.
2889 - */
2890 -$wgWeakPasswords = array( 'password', 'passpass', 'passpass1' );
2891 -
2892 -/**
28932887 * Maximum number of Unicode characters in signature
28942888 */
28952889 $wgMaxSigChars = 255;
Index: trunk/phase3/languages/messages/MessagesEn.php
@@ -1094,7 +1094,7 @@
10951095 Please try again.',
10961096 'passwordtooshort' => 'Passwords must be at least {{PLURAL:$1|1 character|$1 characters}}.',
10971097 'password-name-match' => 'Your password must be different from your username.',
1098 -'password-too-weak' => 'The provided password is too weak and cannot be used.',
 1098+'password-login-forbidden' => 'The use of these username and password has been forbidden.',
10991099 'mailmypassword' => 'E-mail new password',
11001100 'passwordremindertitle' => 'New temporary password for {{SITENAME}}',
11011101 'passwordremindertext' => 'Someone (probably you, from IP address $1) requested a new

Follow-up revisions

RevisionCommit summaryAuthorDate
r79129MFT r78011 r78014 r78015 r78016 r78099 r78117 r78161 r78170 r78172 r78199 r78......platonides19:58, 28 December 2010

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r75588Add feature to block common (weak) passwords....platonides22:26, 27 October 2010
r77381Remove isValidPassword check from User::checkPassword. It is hugely annoying ...werdna03:21, 28 November 2010

Comments

#Comment by Catrope (talk | contribs)   22:39, 29 December 2010 
+		// Even though we stop people from creating passwords that
+		// are shorter than this, doesn't mean people wont be able
+		// to. Certain authentication plugins do NOT want to save
+		// domain passwords in a mysql database, so we should
+		// check this (in case $wgAuth->strict() is false).
+		if( !$this->isValidPassword( $password ) ) {
+			return false;
+		}

Did you intend to reintroduce this?

#Comment by Platonides (talk | contribs)   22:41, 29 December 2010

Yes, that's the reverting of r77381.

#Comment by Catrope (talk | contribs)   22:46, 29 December 2010

On IRC Platonides pointed out this is needed, and I realized I had missed the fact the two changes were in different functions. So it's fine.

Status & tagging log