Add exposed password check to manual password change

This commit is contained in:
Hypolite Petovan 2018-03-21 01:33:35 -04:00
parent d34a92ab2b
commit ca13570251
2 changed files with 19 additions and 1 deletions

View file

@ -390,6 +390,11 @@ function settings_post(App $a)
$err = true; $err = true;
} }
if (User::checkPasswordExposed($newpass)) {
notice(L10n::t('The new password has been exposed in a public data dump, please choose another.') . EOL);
$err = true;
}
// check if the old password was supplied correctly before changing it to the new value // check if the old password was supplied correctly before changing it to the new value
if (!User::authenticate(intval(local_user()), $_POST['opassword'])) { if (!User::authenticate(intval(local_user()), $_POST['opassword'])) {
notice(L10n::t('Wrong password.') . EOL); notice(L10n::t('Wrong password.') . EOL);

View file

@ -5,6 +5,7 @@
*/ */
namespace Friendica\Model; namespace Friendica\Model;
use DivineOmega\PasswordExposed\PasswordStatus;
use Friendica\Core\Addon; use Friendica\Core\Addon;
use Friendica\Core\Config; use Friendica\Core\Config;
use Friendica\Core\L10n; use Friendica\Core\L10n;
@ -22,6 +23,7 @@ use Friendica\Util\Network;
use dba; use dba;
use Exception; use Exception;
use LightOpenID; use LightOpenID;
use function password_exposed;
require_once 'boot.php'; require_once 'boot.php';
require_once 'include/dba.php'; require_once 'include/dba.php';
@ -101,7 +103,7 @@ class User
* @param string $password * @param string $password
* @return int|boolean * @return int|boolean
* @deprecated since version 3.6 * @deprecated since version 3.6
* @see Friendica\Model\User::getIdFromPasswordAuthentication() * @see User::getIdFromPasswordAuthentication()
*/ */
public static function authenticate($user_info, $password) public static function authenticate($user_info, $password)
{ {
@ -216,6 +218,17 @@ class User
return autoname(6) . mt_rand(100, 9999); return autoname(6) . mt_rand(100, 9999);
} }
/**
* Checks if the provided plaintext password has been exposed or not
*
* @param string $password
* @return bool
*/
public static function checkPasswordExposed($password)
{
return password_exposed($password) === PasswordStatus::EXPOSED;
}
/** /**
* Legacy hashing function, kept for password migration purposes * Legacy hashing function, kept for password migration purposes
* *