diff options
| author | Dylan William Hardison <dylan@hardison.net> | 2017-09-15 20:30:40 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-09-15 20:30:40 +0200 |
| commit | e9adcde4648b54db8d40f314ca938dca5080bb9c (patch) | |
| tree | bd826aa5f5857e063d575fec1ec16068712edd4a /token.cgi | |
| parent | 06c57b6e475767923f8294cf93fd746d45f3dc6f (diff) | |
| download | bugzilla-e9adcde4648b54db8d40f314ca938dca5080bb9c.tar.gz bugzilla-e9adcde4648b54db8d40f314ca938dca5080bb9c.tar.xz | |
Bug 1391702 - Replace Bugzilla::User::validate_password() with calls to Data::Password::passwdqc
Diffstat (limited to 'token.cgi')
| -rwxr-xr-x | token.cgi | 20 |
1 files changed, 12 insertions, 8 deletions
@@ -118,11 +118,13 @@ if ( $action eq 'reqpw' ) { my $password; if ( $action eq 'chgpw' ) { $password = $cgi->param('password'); - defined $password - && defined $cgi->param('matchpassword') - || ThrowUserError("require_new_password"); + my $matchpassword = $cgi->param('matchpassword'); + ThrowUserError("require_new_password") + unless defined $password && defined $matchpassword; + + Bugzilla->assert_password_is_secure($password); + Bugzilla->assert_passwords_match($password, $matchpassword); - validate_password($password, $cgi->param('matchpassword')); # Make sure that these never show up in the UI under any circumstances. $cgi->delete('password', 'matchpassword'); } @@ -391,15 +393,17 @@ sub confirm_create_account { Bugzilla->user->check_account_creation_enabled; my (undef, undef, $login_name) = Bugzilla::Token::GetTokenData($token); - my $password = $cgi->param('passwd1') || ''; - validate_password($password, $cgi->param('passwd2') || ''); + my $password1 = $cgi->param('passwd1'); + my $password2 = $cgi->param('passwd2'); # Make sure that these never show up anywhere in the UI. $cgi->delete('passwd1', 'passwd2'); + Bugzilla->assert_password_is_secure($password1); + Bugzilla->assert_passwords_match($password1, $password2); my $otheruser = Bugzilla::User->create({ login_name => $login_name, realname => scalar $cgi->param('realname'), - cryptpassword => $password}); + cryptpassword => $password1}); # Now delete this token. delete_token($token); @@ -410,7 +414,7 @@ sub confirm_create_account { # Log in the new user using credentials he just gave. $cgi->param('Bugzilla_login', $otheruser->login); - $cgi->param('Bugzilla_password', $password); + $cgi->param('Bugzilla_password', $password1); Bugzilla->login(LOGIN_OPTIONAL); print $cgi->header(); |