From e9adcde4648b54db8d40f314ca938dca5080bb9c Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Fri, 15 Sep 2017 14:30:40 -0400
Subject: Bug 1391702 - Replace Bugzilla::User::validate_password() with calls
 to Data::Password::passwdqc

---
 token.cgi | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

(limited to 'token.cgi')

diff --git a/token.cgi b/token.cgi
index 9cfe37b57..51ed93977 100755
--- a/token.cgi
+++ b/token.cgi
@@ -118,11 +118,13 @@ if ( $action eq 'reqpw' ) {
 my $password;
 if ( $action eq 'chgpw' ) {
     $password = $cgi->param('password');
-    defined $password
-      && defined $cgi->param('matchpassword')
-      || ThrowUserError("require_new_password");
+    my $matchpassword = $cgi->param('matchpassword');
+    ThrowUserError("require_new_password")
+        unless defined $password && defined $matchpassword;
+
+    Bugzilla->assert_password_is_secure($password);
+    Bugzilla->assert_passwords_match($password, $matchpassword);
 
-    validate_password($password, $cgi->param('matchpassword'));
     # Make sure that these never show up in the UI under any circumstances.
     $cgi->delete('password', 'matchpassword');
 }
@@ -391,15 +393,17 @@ sub confirm_create_account {
     Bugzilla->user->check_account_creation_enabled;
     my (undef, undef, $login_name) = Bugzilla::Token::GetTokenData($token);
 
-    my $password = $cgi->param('passwd1') || '';
-    validate_password($password, $cgi->param('passwd2') || '');
+    my $password1 = $cgi->param('passwd1');
+    my $password2 = $cgi->param('passwd2');
     # Make sure that these never show up anywhere in the UI.
     $cgi->delete('passwd1', 'passwd2');
+    Bugzilla->assert_password_is_secure($password1);
+    Bugzilla->assert_passwords_match($password1, $password2);
 
     my $otheruser = Bugzilla::User->create({
         login_name => $login_name,
         realname   => scalar $cgi->param('realname'),
-        cryptpassword => $password});
+        cryptpassword => $password1});
 
     # Now delete this token.
     delete_token($token);
@@ -410,7 +414,7 @@ sub confirm_create_account {
 
     # Log in the new user using credentials he just gave.
     $cgi->param('Bugzilla_login', $otheruser->login);
-    $cgi->param('Bugzilla_password', $password);
+    $cgi->param('Bugzilla_password', $password1);
     Bugzilla->login(LOGIN_OPTIONAL);
 
     print $cgi->header();
-- 
cgit v1.2.3-24-g4f1b