From e9adcde4648b54db8d40f314ca938dca5080bb9c Mon Sep 17 00:00:00 2001 From: Dylan William Hardison Date: Fri, 15 Sep 2017 14:30:40 -0400 Subject: Bug 1391702 - Replace Bugzilla::User::validate_password() with calls to Data::Password::passwdqc --- Bugzilla/Auth/Verify.pm | 2 +- Bugzilla/Auth/Verify/DB.pm | 16 +++++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) (limited to 'Bugzilla/Auth') diff --git a/Bugzilla/Auth/Verify.pm b/Bugzilla/Auth/Verify.pm index 19d8dcc9e..5895534cd 100644 --- a/Bugzilla/Auth/Verify.pm +++ b/Bugzilla/Auth/Verify.pm @@ -72,7 +72,7 @@ sub create_or_update_user { || return { failure => AUTH_ERROR, error => 'auth_invalid_email', details => {addr => $username} }; - # Usually we'd call validate_password, but external authentication + # external authentication # systems might follow different standards than ours. So in this # place here, we call trick_taint without checks. trick_taint($password); diff --git a/Bugzilla/Auth/Verify/DB.pm b/Bugzilla/Auth/Verify/DB.pm index ac6b71ac0..e46d1cd82 100644 --- a/Bugzilla/Auth/Verify/DB.pm +++ b/Bugzilla/Auth/Verify/DB.pm @@ -62,13 +62,15 @@ sub check_credentials { if (Bugzilla->usage_mode == USAGE_MODE_BROWSER && Bugzilla->params->{password_check_on_login}) { - my $check = validate_password_check($password); - if ($check) { - return { - failure => AUTH_ERROR, - user_error => $check, - details => { locked_user => $user } - } + my $pwqc = Bugzilla->passwdqc; + unless ($pwqc->validate_password($password)) { + my $reason = $pwqc->reason; + Bugzilla->audit(sprintf "%s logged in with a weak password (reason: %s)", $user->login, $reason); + $user->set_password_change_required(1); + $user->set_password_change_reason( + "You must change your password for the following reason: $reason" + ); + $user->update(); } } -- cgit v1.2.3-24-g4f1b