From d34a92ab2b3b578f43bd75624dba38e945cbceed Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Wed, 21 Mar 2018 01:31:00 -0400 Subject: [PATCH 1/6] [Composer] Add divineomega/password_exposed - Reorder PHP packages by alphabetical order --- composer.json | 3 +- composer.lock | 619 +++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 620 insertions(+), 2 deletions(-) diff --git a/composer.json b/composer.json index 3f3151e5e3..81f0b99737 100644 --- a/composer.json +++ b/composer.json @@ -15,6 +15,8 @@ "require": { "php": ">5.6", "ext-xml": "*", + "asika/simple-console": "^1.0", + "divineomega/password_exposed": "^2.4", "ezyang/htmlpurifier": "~4.7.0", "league/html-to-markdown": "~4.4.1", "lightopenid/lightopenid": "dev-master", @@ -24,7 +26,6 @@ "pear/Text_LanguageDetect": "1.*", "pear/Text_Highlighter": "dev-master", "smarty/smarty": "^3.1", - "asika/simple-console": "^1.0", "fxp/composer-asset-plugin": "~1.3", "bower-asset/base64": "^1.0", "bower-asset/Chart-js": "^2.7", diff --git a/composer.lock b/composer.lock index 8dd857facb..8e5a7f163a 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "content-hash": "6a87e56bade65fa14f5f74e74109b66f", + "content-hash": "7d90cfe4354cd5ca36b74a3ecc471eeb", "packages": [ { "name": "asika/simple-console", @@ -133,6 +133,54 @@ "description": "Minimalistic but perfect custom scrollbar plugin", "time": "2017-01-10T01:04:09+00:00" }, + { + "name": "divineomega/password_exposed", + "version": "v2.4.0", + "source": { + "type": "git", + "url": "https://github.com/DivineOmega/password_exposed.git", + "reference": "7e26898a280662529b3e5e472b16fcbda167ffce" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/DivineOmega/password_exposed/zipball/7e26898a280662529b3e5e472b16fcbda167ffce", + "reference": "7e26898a280662529b3e5e472b16fcbda167ffce", + "shasum": "" + }, + "require": { + "guzzlehttp/guzzle": "^6.3", + "paragonie/certainty": "^1", + "php": ">=5.6", + "rapidwebltd/rw-file-cache-psr-6": "^1.0" + }, + "require-dev": { + "fzaninotto/faker": "^1.7", + "phpunit/phpunit": "^5.7", + "satooshi/php-coveralls": "^2.0", + "vimeo/psalm": "^1" + }, + "type": "library", + "autoload": { + "psr-4": { + "DivineOmega\\PasswordExposed\\": "src/" + }, + "files": [ + "src/PasswordExposedFunction.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "LGPL-3.0-only" + ], + "authors": [ + { + "name": "Jordan Hall", + "email": "jordan@hall05.co.uk" + } + ], + "description": "This PHP package provides a `password_exposed` helper function, that uses the haveibeenpwned.com API to check if a password has been exposed in a data breach.", + "time": "2018-03-14T09:17:40+00:00" + }, { "name": "ezyang/htmlpurifier", "version": "v4.7.0", @@ -236,6 +284,187 @@ ], "time": "2017-10-20T06:53:56+00:00" }, + { + "name": "guzzlehttp/guzzle", + "version": "6.3.0", + "source": { + "type": "git", + "url": "https://github.com/guzzle/guzzle.git", + "reference": "f4db5a78a5ea468d4831de7f0bf9d9415e348699" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/guzzle/guzzle/zipball/f4db5a78a5ea468d4831de7f0bf9d9415e348699", + "reference": "f4db5a78a5ea468d4831de7f0bf9d9415e348699", + "shasum": "" + }, + "require": { + "guzzlehttp/promises": "^1.0", + "guzzlehttp/psr7": "^1.4", + "php": ">=5.5" + }, + "require-dev": { + "ext-curl": "*", + "phpunit/phpunit": "^4.0 || ^5.0", + "psr/log": "^1.0" + }, + "suggest": { + "psr/log": "Required for using the Log middleware" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "6.2-dev" + } + }, + "autoload": { + "files": [ + "src/functions_include.php" + ], + "psr-4": { + "GuzzleHttp\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Michael Dowling", + "email": "mtdowling@gmail.com", + "homepage": "https://github.com/mtdowling" + } + ], + "description": "Guzzle is a PHP HTTP client library", + "homepage": "http://guzzlephp.org/", + "keywords": [ + "client", + "curl", + "framework", + "http", + "http client", + "rest", + "web service" + ], + "time": "2017-06-22T18:50:49+00:00" + }, + { + "name": "guzzlehttp/promises", + "version": "v1.3.1", + "source": { + "type": "git", + "url": "https://github.com/guzzle/promises.git", + "reference": "a59da6cf61d80060647ff4d3eb2c03a2bc694646" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/guzzle/promises/zipball/a59da6cf61d80060647ff4d3eb2c03a2bc694646", + "reference": "a59da6cf61d80060647ff4d3eb2c03a2bc694646", + "shasum": "" + }, + "require": { + "php": ">=5.5.0" + }, + "require-dev": { + "phpunit/phpunit": "^4.0" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.4-dev" + } + }, + "autoload": { + "psr-4": { + "GuzzleHttp\\Promise\\": "src/" + }, + "files": [ + "src/functions_include.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Michael Dowling", + "email": "mtdowling@gmail.com", + "homepage": "https://github.com/mtdowling" + } + ], + "description": "Guzzle promises library", + "keywords": [ + "promise" + ], + "time": "2016-12-20T10:07:11+00:00" + }, + { + "name": "guzzlehttp/psr7", + "version": "1.4.2", + "source": { + "type": "git", + "url": "https://github.com/guzzle/psr7.git", + "reference": "f5b8a8512e2b58b0071a7280e39f14f72e05d87c" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/guzzle/psr7/zipball/f5b8a8512e2b58b0071a7280e39f14f72e05d87c", + "reference": "f5b8a8512e2b58b0071a7280e39f14f72e05d87c", + "shasum": "" + }, + "require": { + "php": ">=5.4.0", + "psr/http-message": "~1.0" + }, + "provide": { + "psr/http-message-implementation": "1.0" + }, + "require-dev": { + "phpunit/phpunit": "~4.0" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.4-dev" + } + }, + "autoload": { + "psr-4": { + "GuzzleHttp\\Psr7\\": "src/" + }, + "files": [ + "src/functions_include.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Michael Dowling", + "email": "mtdowling@gmail.com", + "homepage": "https://github.com/mtdowling" + }, + { + "name": "Tobias Schultze", + "homepage": "https://github.com/Tobion" + } + ], + "description": "PSR-7 message implementation that also provides common utility methods", + "keywords": [ + "http", + "message", + "request", + "response", + "stream", + "uri", + "url" + ], + "time": "2017-03-20T17:10:46+00:00" + }, { "name": "league/html-to-markdown", "version": "4.4.1", @@ -970,6 +1199,128 @@ "homepage": "https://github.com/kartik-v/php-date-formatter", "time": "2016-02-18T15:15:55+00:00" }, + { + "name": "paragonie/certainty", + "version": "v1.0.2", + "source": { + "type": "git", + "url": "https://github.com/paragonie/certainty.git", + "reference": "a2d14f5b0b85c58329dee248d77d34e7e1202a32" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/certainty/zipball/a2d14f5b0b85c58329dee248d77d34e7e1202a32", + "reference": "a2d14f5b0b85c58329dee248d77d34e7e1202a32", + "shasum": "" + }, + "require": { + "guzzlehttp/guzzle": "^6", + "paragonie/constant_time_encoding": "^1|^2", + "paragonie/sodium_compat": "^1.6", + "php": "^5.6|^7" + }, + "require-dev": { + "phpunit/phpunit": "^5|^6", + "vimeo/psalm": "^1" + }, + "bin": [ + "bin/certainty-cert-symlink" + ], + "type": "library", + "autoload": { + "psr-4": { + "ParagonIE\\Certainty\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "ISC" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com" + } + ], + "description": "Up-to-date, verifiable repository for Certificate Authorities", + "keywords": [ + "CA-Cert", + "Ed25519", + "Public-Key Infractructure", + "ca", + "ca-cert.pem", + "cacert", + "cacert.pem", + "certificate authority", + "pki", + "ssl", + "tls" + ], + "time": "2018-03-12T18:34:23+00:00" + }, + { + "name": "paragonie/constant_time_encoding", + "version": "v2.2.2", + "source": { + "type": "git", + "url": "https://github.com/paragonie/constant_time_encoding.git", + "reference": "eccf915f45f911bfb189d1d1638d940ec6ee6e33" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/constant_time_encoding/zipball/eccf915f45f911bfb189d1d1638d940ec6ee6e33", + "reference": "eccf915f45f911bfb189d1d1638d940ec6ee6e33", + "shasum": "" + }, + "require": { + "php": "^7" + }, + "require-dev": { + "phpunit/phpunit": "^6|^7", + "vimeo/psalm": "^1" + }, + "type": "library", + "autoload": { + "psr-4": { + "ParagonIE\\ConstantTime\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com", + "role": "Maintainer" + }, + { + "name": "Steve 'Sc00bz' Thomas", + "email": "steve@tobtu.com", + "homepage": "https://www.tobtu.com", + "role": "Original Developer" + } + ], + "description": "Constant-time Implementations of RFC 4648 Encoding (Base-64, Base-32, Base-16)", + "keywords": [ + "base16", + "base32", + "base32_decode", + "base32_encode", + "base64", + "base64_decode", + "base64_encode", + "bin2hex", + "encoding", + "hex", + "hex2bin", + "rfc4648" + ], + "time": "2018-03-10T19:47:49+00:00" + }, { "name": "paragonie/random_compat", "version": "v2.0.11", @@ -1018,6 +1369,88 @@ ], "time": "2017-09-27T21:40:39+00:00" }, + { + "name": "paragonie/sodium_compat", + "version": "v1.6.0", + "source": { + "type": "git", + "url": "https://github.com/paragonie/sodium_compat.git", + "reference": "1f6e5682eff4a5a6a394b14331a1904f1740e432" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/sodium_compat/zipball/1f6e5682eff4a5a6a394b14331a1904f1740e432", + "reference": "1f6e5682eff4a5a6a394b14331a1904f1740e432", + "shasum": "" + }, + "require": { + "paragonie/random_compat": "^1|^2", + "php": "^5.2.4|^5.3|^5.4|^5.5|^5.6|^7" + }, + "require-dev": { + "phpunit/phpunit": "^3|^4|^5" + }, + "suggest": { + "ext-libsodium": "PHP < 7.0: Better performance, password hashing (Argon2i), secure memory management (memzero), and better security.", + "ext-sodium": "PHP >= 7.0: Better performance, password hashing (Argon2i), secure memory management (memzero), and better security." + }, + "type": "library", + "autoload": { + "files": [ + "autoload.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "ISC" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com" + }, + { + "name": "Frank Denis", + "email": "jedisct1@pureftpd.org" + } + ], + "description": "Pure PHP implementation of libsodium; uses the PHP extension if it exists", + "keywords": [ + "Authentication", + "BLAKE2b", + "ChaCha20", + "ChaCha20-Poly1305", + "Chapoly", + "Curve25519", + "Ed25519", + "EdDSA", + "Edwards-curve Digital Signature Algorithm", + "Elliptic Curve Diffie-Hellman", + "Poly1305", + "Pure-PHP cryptography", + "RFC 7748", + "RFC 8032", + "Salpoly", + "Salsa20", + "X25519", + "XChaCha20-Poly1305", + "XSalsa20-Poly1305", + "Xchacha20", + "Xsalsa20", + "aead", + "cryptography", + "ecdh", + "elliptic curve", + "elliptic curve cryptography", + "encryption", + "libsodium", + "php", + "public-key cryptography", + "secret-key cryptography", + "side-channel resistant" + ], + "time": "2018-02-15T05:50:20+00:00" + }, { "name": "pear/console_getopt", "version": "v1.4.1", @@ -1260,6 +1693,190 @@ "homepage": "http://pear.php.net/package/Text_LanguageDetect", "time": "2017-03-02T16:14:08+00:00" }, + { + "name": "psr/cache", + "version": "1.0.1", + "source": { + "type": "git", + "url": "https://github.com/php-fig/cache.git", + "reference": "d11b50ad223250cf17b86e38383413f5a6764bf8" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/php-fig/cache/zipball/d11b50ad223250cf17b86e38383413f5a6764bf8", + "reference": "d11b50ad223250cf17b86e38383413f5a6764bf8", + "shasum": "" + }, + "require": { + "php": ">=5.3.0" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.0.x-dev" + } + }, + "autoload": { + "psr-4": { + "Psr\\Cache\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "PHP-FIG", + "homepage": "http://www.php-fig.org/" + } + ], + "description": "Common interface for caching libraries", + "keywords": [ + "cache", + "psr", + "psr-6" + ], + "time": "2016-08-06T20:24:11+00:00" + }, + { + "name": "psr/http-message", + "version": "1.0.1", + "source": { + "type": "git", + "url": "https://github.com/php-fig/http-message.git", + "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/php-fig/http-message/zipball/f6561bf28d520154e4b0ec72be95418abe6d9363", + "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363", + "shasum": "" + }, + "require": { + "php": ">=5.3.0" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.0.x-dev" + } + }, + "autoload": { + "psr-4": { + "Psr\\Http\\Message\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "PHP-FIG", + "homepage": "http://www.php-fig.org/" + } + ], + "description": "Common interface for HTTP messages", + "homepage": "https://github.com/php-fig/http-message", + "keywords": [ + "http", + "http-message", + "psr", + "psr-7", + "request", + "response" + ], + "time": "2016-08-06T14:39:51+00:00" + }, + { + "name": "rapidwebltd/rw-file-cache", + "version": "v1.2.5", + "source": { + "type": "git", + "url": "https://github.com/rapidwebltd/RW-File-Cache.git", + "reference": "4a1d5aaefa6ffafec8e2d60787f12bcd9890977e" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/rapidwebltd/RW-File-Cache/zipball/4a1d5aaefa6ffafec8e2d60787f12bcd9890977e", + "reference": "4a1d5aaefa6ffafec8e2d60787f12bcd9890977e", + "shasum": "" + }, + "require": { + "php": ">=5.2.1" + }, + "require-dev": { + "phpunit/phpunit": "^5.7" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.0-dev" + } + }, + "autoload": { + "psr-4": { + "rapidweb\\RWFileCache\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "LGPL-3.0-only" + ], + "description": "RW File Cache is a PHP File-based Caching Library. Its syntax is designed to closely resemble the PHP memcache extension.", + "homepage": "https://github.com/rapidwebltd/RW-File-Cache", + "keywords": [ + "cache", + "caching", + "caching library", + "file cache", + "library", + "php" + ], + "time": "2018-01-23T17:20:58+00:00" + }, + { + "name": "rapidwebltd/rw-file-cache-psr-6", + "version": "v1.0.0", + "source": { + "type": "git", + "url": "https://github.com/rapidwebltd/RW-File-Cache-PSR-6.git", + "reference": "b74ea201d4c964f0e6db0fb036d1ab28a570df66" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/rapidwebltd/RW-File-Cache-PSR-6/zipball/b74ea201d4c964f0e6db0fb036d1ab28a570df66", + "reference": "b74ea201d4c964f0e6db0fb036d1ab28a570df66", + "shasum": "" + }, + "require": { + "psr/cache": "^1.0", + "rapidwebltd/rw-file-cache": "^1.2.3" + }, + "require-dev": { + "cache/integration-tests": "^0.16.0", + "phpunit/phpunit": "^5.7" + }, + "type": "library", + "autoload": { + "psr-4": { + "rapidweb\\RWFileCachePSR6\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "LGPL-3.0-only" + ], + "authors": [ + { + "name": "Jordan Hall", + "email": "jordan.hall@rapidweb.biz" + } + ], + "description": "PSR-6 adapter for RW File Cache", + "time": "2018-01-30T19:13:45+00:00" + }, { "name": "smarty/smarty", "version": "v3.1.31", From ca1357025106a27a2a1ed55a46b33fac50244ef8 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Wed, 21 Mar 2018 01:33:35 -0400 Subject: [PATCH 2/6] Add exposed password check to manual password change --- mod/settings.php | 5 +++++ src/Model/User.php | 15 ++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/mod/settings.php b/mod/settings.php index b66cad7f98..b39ee0b51f 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -390,6 +390,11 @@ function settings_post(App $a) $err = true; } + if (User::checkPasswordExposed($newpass)) { + notice(L10n::t('The new password has been exposed in a public data dump, please choose another.') . EOL); + $err = true; + } + // check if the old password was supplied correctly before changing it to the new value if (!User::authenticate(intval(local_user()), $_POST['opassword'])) { notice(L10n::t('Wrong password.') . EOL); diff --git a/src/Model/User.php b/src/Model/User.php index 702e815e60..331fdccb7f 100644 --- a/src/Model/User.php +++ b/src/Model/User.php @@ -5,6 +5,7 @@ */ namespace Friendica\Model; +use DivineOmega\PasswordExposed\PasswordStatus; use Friendica\Core\Addon; use Friendica\Core\Config; use Friendica\Core\L10n; @@ -22,6 +23,7 @@ use Friendica\Util\Network; use dba; use Exception; use LightOpenID; +use function password_exposed; require_once 'boot.php'; require_once 'include/dba.php'; @@ -101,7 +103,7 @@ class User * @param string $password * @return int|boolean * @deprecated since version 3.6 - * @see Friendica\Model\User::getIdFromPasswordAuthentication() + * @see User::getIdFromPasswordAuthentication() */ public static function authenticate($user_info, $password) { @@ -216,6 +218,17 @@ class User return autoname(6) . mt_rand(100, 9999); } + /** + * Checks if the provided plaintext password has been exposed or not + * + * @param string $password + * @return bool + */ + public static function checkPasswordExposed($password) + { + return password_exposed($password) === PasswordStatus::EXPOSED; + } + /** * Legacy hashing function, kept for password migration purposes * From 701fd41463a1da325cf50084767005af5d3627e6 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Wed, 21 Mar 2018 02:14:43 -0400 Subject: [PATCH 3/6] Rename checkPasswordExposed to isPasswordExposed --- mod/settings.php | 2 +- src/Model/User.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mod/settings.php b/mod/settings.php index b39ee0b51f..162597503c 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -390,7 +390,7 @@ function settings_post(App $a) $err = true; } - if (User::checkPasswordExposed($newpass)) { + if (User::isPasswordExposed($newpass)) { notice(L10n::t('The new password has been exposed in a public data dump, please choose another.') . EOL); $err = true; } diff --git a/src/Model/User.php b/src/Model/User.php index 331fdccb7f..6270ce9bf3 100644 --- a/src/Model/User.php +++ b/src/Model/User.php @@ -224,7 +224,7 @@ class User * @param string $password * @return bool */ - public static function checkPasswordExposed($password) + public static function isPasswordExposed($password) { return password_exposed($password) === PasswordStatus::EXPOSED; } From 5b4fb945a2f8e950d3f3da8ae1fc8127ff887568 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Wed, 21 Mar 2018 02:35:28 -0400 Subject: [PATCH 4/6] Add htconfig setting to disable password_exposed() --- doc/htconfig.md | 1 + mod/settings.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/htconfig.md b/doc/htconfig.md index 1f1b62bd49..8562adc5fa 100644 --- a/doc/htconfig.md +++ b/doc/htconfig.md @@ -41,6 +41,7 @@ Example: To set the automatic database cleanup process add this line to your .ht * **diaspora_test** (Boolean) - For development only. Disables the message transfer. * **disable_email_validation** (Boolean) - Disables the check if a mail address is in a valid format and can be resolved via DNS. * **disable_url_validation** (Boolean) - Disables the DNS lookup of an URL. +* **disable_password_exposed** (Boolean) - Disable the exposition check against the remote haveibeenpwned API on password change. Default value is false. * **dlogfile - location of the developer log file * **dlogip - restricts develop log writes to requests originating from this IP address * **frontend_worker_timeout** - Value in minutes after we think that a frontend task was killed by the webserver. Default value is 10. diff --git a/mod/settings.php b/mod/settings.php index 162597503c..1473f6d422 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -390,7 +390,7 @@ function settings_post(App $a) $err = true; } - if (User::isPasswordExposed($newpass)) { + if (!$a->getConfigValue('system', 'disable_password_exposed', false) && User::isPasswordExposed($newpass)) { notice(L10n::t('The new password has been exposed in a public data dump, please choose another.') . EOL); $err = true; } From fd9171a40e8899f35315daa3c57bbeea7758d287 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Wed, 21 Mar 2018 02:38:04 -0400 Subject: [PATCH 5/6] Fix egregious whitespace issue in mod/settings --- mod/settings.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/mod/settings.php b/mod/settings.php index 1473f6d422..0ce60c7041 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -388,18 +388,18 @@ function settings_post(App $a) if (!x($newpass) || !x($confirm)) { notice(L10n::t('Empty passwords are not allowed. Password unchanged.') . EOL); $err = true; - } + } if (!$a->getConfigValue('system', 'disable_password_exposed', false) && User::isPasswordExposed($newpass)) { notice(L10n::t('The new password has been exposed in a public data dump, please choose another.') . EOL); $err = true; } - // check if the old password was supplied correctly before changing it to the new value - if (!User::authenticate(intval(local_user()), $_POST['opassword'])) { - notice(L10n::t('Wrong password.') . EOL); - $err = true; - } + // check if the old password was supplied correctly before changing it to the new value + if (!User::authenticate(intval(local_user()), $_POST['opassword'])) { + notice(L10n::t('Wrong password.') . EOL); + $err = true; + } if (!$err) { $result = User::updatePassword(local_user(), $newpass); From cd7993f869f3c9658427f1642ef942a3485f5963 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Wed, 21 Mar 2018 08:54:58 -0400 Subject: [PATCH 6/6] Use Config wrapper instead of direct config retrieval --- mod/settings.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mod/settings.php b/mod/settings.php index 0ce60c7041..93d7a08543 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -390,7 +390,7 @@ function settings_post(App $a) $err = true; } - if (!$a->getConfigValue('system', 'disable_password_exposed', false) && User::isPasswordExposed($newpass)) { + if (!Config::get('system', 'disable_password_exposed', false) && User::isPasswordExposed($newpass)) { notice(L10n::t('The new password has been exposed in a public data dump, please choose another.') . EOL); $err = true; }