From ca1357025106a27a2a1ed55a46b33fac50244ef8 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <mrpetovan@gmail.com>
Date: Wed, 21 Mar 2018 01:33:35 -0400
Subject: [PATCH] Add exposed password check to manual password change

---
 mod/settings.php   |  5 +++++
 src/Model/User.php | 15 ++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/mod/settings.php b/mod/settings.php
index b66cad7f98..b39ee0b51f 100644
--- a/mod/settings.php
+++ b/mod/settings.php
@@ -390,6 +390,11 @@ function settings_post(App $a)
 			$err = true;
         }
 
+		if (User::checkPasswordExposed($newpass)) {
+			notice(L10n::t('The new password has been exposed in a public data dump, please choose another.') . EOL);
+			$err = true;
+		}
+
         //  check if the old password was supplied correctly before changing it to the new value
         if (!User::authenticate(intval(local_user()), $_POST['opassword'])) {
             notice(L10n::t('Wrong password.') . EOL);
diff --git a/src/Model/User.php b/src/Model/User.php
index 702e815e60..331fdccb7f 100644
--- a/src/Model/User.php
+++ b/src/Model/User.php
@@ -5,6 +5,7 @@
  */
 namespace Friendica\Model;
 
+use DivineOmega\PasswordExposed\PasswordStatus;
 use Friendica\Core\Addon;
 use Friendica\Core\Config;
 use Friendica\Core\L10n;
@@ -22,6 +23,7 @@ use Friendica\Util\Network;
 use dba;
 use Exception;
 use LightOpenID;
+use function password_exposed;
 
 require_once 'boot.php';
 require_once 'include/dba.php';
@@ -101,7 +103,7 @@ class User
 	 * @param string $password
 	 * @return int|boolean
 	 * @deprecated since version 3.6
-	 * @see Friendica\Model\User::getIdFromPasswordAuthentication()
+	 * @see User::getIdFromPasswordAuthentication()
 	 */
 	public static function authenticate($user_info, $password)
 	{
@@ -216,6 +218,17 @@ class User
 		return autoname(6) . mt_rand(100, 9999);
 	}
 
+	/**
+	 * Checks if the provided plaintext password has been exposed or not
+	 *
+	 * @param string $password
+	 * @return bool
+	 */
+	public static function checkPasswordExposed($password)
+	{
+		return password_exposed($password) === PasswordStatus::EXPOSED;
+	}
+
 	/**
 	 * Legacy hashing function, kept for password migration purposes
 	 *