Merge pull request #4640 from MrPetovan/task/4604-add-password-exposed-check

Add password exposed check
This commit is contained in:
Michael Vogel 2018-03-21 18:04:16 +01:00 committed by GitHub
commit 046046e0c4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 646 additions and 9 deletions

View file

@ -15,6 +15,8 @@
"require": {
"php": ">5.6",
"ext-xml": "*",
"asika/simple-console": "^1.0",
"divineomega/password_exposed": "^2.4",
"ezyang/htmlpurifier": "~4.7.0",
"league/html-to-markdown": "~4.4.1",
"lightopenid/lightopenid": "dev-master",
@ -24,7 +26,6 @@
"pear/Text_LanguageDetect": "1.*",
"pear/Text_Highlighter": "dev-master",
"smarty/smarty": "^3.1",
"asika/simple-console": "^1.0",
"fxp/composer-asset-plugin": "~1.3",
"bower-asset/base64": "^1.0",
"bower-asset/Chart-js": "^2.7",

619
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically"
],
"content-hash": "6a87e56bade65fa14f5f74e74109b66f",
"content-hash": "7d90cfe4354cd5ca36b74a3ecc471eeb",
"packages": [
{
"name": "asika/simple-console",
@ -133,6 +133,54 @@
"description": "Minimalistic but perfect custom scrollbar plugin",
"time": "2017-01-10T01:04:09+00:00"
},
{
"name": "divineomega/password_exposed",
"version": "v2.4.0",
"source": {
"type": "git",
"url": "https://github.com/DivineOmega/password_exposed.git",
"reference": "7e26898a280662529b3e5e472b16fcbda167ffce"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/DivineOmega/password_exposed/zipball/7e26898a280662529b3e5e472b16fcbda167ffce",
"reference": "7e26898a280662529b3e5e472b16fcbda167ffce",
"shasum": ""
},
"require": {
"guzzlehttp/guzzle": "^6.3",
"paragonie/certainty": "^1",
"php": ">=5.6",
"rapidwebltd/rw-file-cache-psr-6": "^1.0"
},
"require-dev": {
"fzaninotto/faker": "^1.7",
"phpunit/phpunit": "^5.7",
"satooshi/php-coveralls": "^2.0",
"vimeo/psalm": "^1"
},
"type": "library",
"autoload": {
"psr-4": {
"DivineOmega\\PasswordExposed\\": "src/"
},
"files": [
"src/PasswordExposedFunction.php"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"LGPL-3.0-only"
],
"authors": [
{
"name": "Jordan Hall",
"email": "jordan@hall05.co.uk"
}
],
"description": "This PHP package provides a `password_exposed` helper function, that uses the haveibeenpwned.com API to check if a password has been exposed in a data breach.",
"time": "2018-03-14T09:17:40+00:00"
},
{
"name": "ezyang/htmlpurifier",
"version": "v4.7.0",
@ -236,6 +284,187 @@
],
"time": "2017-10-20T06:53:56+00:00"
},
{
"name": "guzzlehttp/guzzle",
"version": "6.3.0",
"source": {
"type": "git",
"url": "https://github.com/guzzle/guzzle.git",
"reference": "f4db5a78a5ea468d4831de7f0bf9d9415e348699"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/guzzle/guzzle/zipball/f4db5a78a5ea468d4831de7f0bf9d9415e348699",
"reference": "f4db5a78a5ea468d4831de7f0bf9d9415e348699",
"shasum": ""
},
"require": {
"guzzlehttp/promises": "^1.0",
"guzzlehttp/psr7": "^1.4",
"php": ">=5.5"
},
"require-dev": {
"ext-curl": "*",
"phpunit/phpunit": "^4.0 || ^5.0",
"psr/log": "^1.0"
},
"suggest": {
"psr/log": "Required for using the Log middleware"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "6.2-dev"
}
},
"autoload": {
"files": [
"src/functions_include.php"
],
"psr-4": {
"GuzzleHttp\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Michael Dowling",
"email": "mtdowling@gmail.com",
"homepage": "https://github.com/mtdowling"
}
],
"description": "Guzzle is a PHP HTTP client library",
"homepage": "http://guzzlephp.org/",
"keywords": [
"client",
"curl",
"framework",
"http",
"http client",
"rest",
"web service"
],
"time": "2017-06-22T18:50:49+00:00"
},
{
"name": "guzzlehttp/promises",
"version": "v1.3.1",
"source": {
"type": "git",
"url": "https://github.com/guzzle/promises.git",
"reference": "a59da6cf61d80060647ff4d3eb2c03a2bc694646"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/guzzle/promises/zipball/a59da6cf61d80060647ff4d3eb2c03a2bc694646",
"reference": "a59da6cf61d80060647ff4d3eb2c03a2bc694646",
"shasum": ""
},
"require": {
"php": ">=5.5.0"
},
"require-dev": {
"phpunit/phpunit": "^4.0"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "1.4-dev"
}
},
"autoload": {
"psr-4": {
"GuzzleHttp\\Promise\\": "src/"
},
"files": [
"src/functions_include.php"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Michael Dowling",
"email": "mtdowling@gmail.com",
"homepage": "https://github.com/mtdowling"
}
],
"description": "Guzzle promises library",
"keywords": [
"promise"
],
"time": "2016-12-20T10:07:11+00:00"
},
{
"name": "guzzlehttp/psr7",
"version": "1.4.2",
"source": {
"type": "git",
"url": "https://github.com/guzzle/psr7.git",
"reference": "f5b8a8512e2b58b0071a7280e39f14f72e05d87c"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/guzzle/psr7/zipball/f5b8a8512e2b58b0071a7280e39f14f72e05d87c",
"reference": "f5b8a8512e2b58b0071a7280e39f14f72e05d87c",
"shasum": ""
},
"require": {
"php": ">=5.4.0",
"psr/http-message": "~1.0"
},
"provide": {
"psr/http-message-implementation": "1.0"
},
"require-dev": {
"phpunit/phpunit": "~4.0"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "1.4-dev"
}
},
"autoload": {
"psr-4": {
"GuzzleHttp\\Psr7\\": "src/"
},
"files": [
"src/functions_include.php"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Michael Dowling",
"email": "mtdowling@gmail.com",
"homepage": "https://github.com/mtdowling"
},
{
"name": "Tobias Schultze",
"homepage": "https://github.com/Tobion"
}
],
"description": "PSR-7 message implementation that also provides common utility methods",
"keywords": [
"http",
"message",
"request",
"response",
"stream",
"uri",
"url"
],
"time": "2017-03-20T17:10:46+00:00"
},
{
"name": "league/html-to-markdown",
"version": "4.4.1",
@ -970,6 +1199,128 @@
"homepage": "https://github.com/kartik-v/php-date-formatter",
"time": "2016-02-18T15:15:55+00:00"
},
{
"name": "paragonie/certainty",
"version": "v1.0.2",
"source": {
"type": "git",
"url": "https://github.com/paragonie/certainty.git",
"reference": "a2d14f5b0b85c58329dee248d77d34e7e1202a32"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/paragonie/certainty/zipball/a2d14f5b0b85c58329dee248d77d34e7e1202a32",
"reference": "a2d14f5b0b85c58329dee248d77d34e7e1202a32",
"shasum": ""
},
"require": {
"guzzlehttp/guzzle": "^6",
"paragonie/constant_time_encoding": "^1|^2",
"paragonie/sodium_compat": "^1.6",
"php": "^5.6|^7"
},
"require-dev": {
"phpunit/phpunit": "^5|^6",
"vimeo/psalm": "^1"
},
"bin": [
"bin/certainty-cert-symlink"
],
"type": "library",
"autoload": {
"psr-4": {
"ParagonIE\\Certainty\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"ISC"
],
"authors": [
{
"name": "Paragon Initiative Enterprises",
"email": "security@paragonie.com",
"homepage": "https://paragonie.com"
}
],
"description": "Up-to-date, verifiable repository for Certificate Authorities",
"keywords": [
"CA-Cert",
"Ed25519",
"Public-Key Infractructure",
"ca",
"ca-cert.pem",
"cacert",
"cacert.pem",
"certificate authority",
"pki",
"ssl",
"tls"
],
"time": "2018-03-12T18:34:23+00:00"
},
{
"name": "paragonie/constant_time_encoding",
"version": "v2.2.2",
"source": {
"type": "git",
"url": "https://github.com/paragonie/constant_time_encoding.git",
"reference": "eccf915f45f911bfb189d1d1638d940ec6ee6e33"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/paragonie/constant_time_encoding/zipball/eccf915f45f911bfb189d1d1638d940ec6ee6e33",
"reference": "eccf915f45f911bfb189d1d1638d940ec6ee6e33",
"shasum": ""
},
"require": {
"php": "^7"
},
"require-dev": {
"phpunit/phpunit": "^6|^7",
"vimeo/psalm": "^1"
},
"type": "library",
"autoload": {
"psr-4": {
"ParagonIE\\ConstantTime\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Paragon Initiative Enterprises",
"email": "security@paragonie.com",
"homepage": "https://paragonie.com",
"role": "Maintainer"
},
{
"name": "Steve 'Sc00bz' Thomas",
"email": "steve@tobtu.com",
"homepage": "https://www.tobtu.com",
"role": "Original Developer"
}
],
"description": "Constant-time Implementations of RFC 4648 Encoding (Base-64, Base-32, Base-16)",
"keywords": [
"base16",
"base32",
"base32_decode",
"base32_encode",
"base64",
"base64_decode",
"base64_encode",
"bin2hex",
"encoding",
"hex",
"hex2bin",
"rfc4648"
],
"time": "2018-03-10T19:47:49+00:00"
},
{
"name": "paragonie/random_compat",
"version": "v2.0.11",
@ -1018,6 +1369,88 @@
],
"time": "2017-09-27T21:40:39+00:00"
},
{
"name": "paragonie/sodium_compat",
"version": "v1.6.0",
"source": {
"type": "git",
"url": "https://github.com/paragonie/sodium_compat.git",
"reference": "1f6e5682eff4a5a6a394b14331a1904f1740e432"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/paragonie/sodium_compat/zipball/1f6e5682eff4a5a6a394b14331a1904f1740e432",
"reference": "1f6e5682eff4a5a6a394b14331a1904f1740e432",
"shasum": ""
},
"require": {
"paragonie/random_compat": "^1|^2",
"php": "^5.2.4|^5.3|^5.4|^5.5|^5.6|^7"
},
"require-dev": {
"phpunit/phpunit": "^3|^4|^5"
},
"suggest": {
"ext-libsodium": "PHP < 7.0: Better performance, password hashing (Argon2i), secure memory management (memzero), and better security.",
"ext-sodium": "PHP >= 7.0: Better performance, password hashing (Argon2i), secure memory management (memzero), and better security."
},
"type": "library",
"autoload": {
"files": [
"autoload.php"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"ISC"
],
"authors": [
{
"name": "Paragon Initiative Enterprises",
"email": "security@paragonie.com"
},
{
"name": "Frank Denis",
"email": "jedisct1@pureftpd.org"
}
],
"description": "Pure PHP implementation of libsodium; uses the PHP extension if it exists",
"keywords": [
"Authentication",
"BLAKE2b",
"ChaCha20",
"ChaCha20-Poly1305",
"Chapoly",
"Curve25519",
"Ed25519",
"EdDSA",
"Edwards-curve Digital Signature Algorithm",
"Elliptic Curve Diffie-Hellman",
"Poly1305",
"Pure-PHP cryptography",
"RFC 7748",
"RFC 8032",
"Salpoly",
"Salsa20",
"X25519",
"XChaCha20-Poly1305",
"XSalsa20-Poly1305",
"Xchacha20",
"Xsalsa20",
"aead",
"cryptography",
"ecdh",
"elliptic curve",
"elliptic curve cryptography",
"encryption",
"libsodium",
"php",
"public-key cryptography",
"secret-key cryptography",
"side-channel resistant"
],
"time": "2018-02-15T05:50:20+00:00"
},
{
"name": "pear/console_getopt",
"version": "v1.4.1",
@ -1260,6 +1693,190 @@
"homepage": "http://pear.php.net/package/Text_LanguageDetect",
"time": "2017-03-02T16:14:08+00:00"
},
{
"name": "psr/cache",
"version": "1.0.1",
"source": {
"type": "git",
"url": "https://github.com/php-fig/cache.git",
"reference": "d11b50ad223250cf17b86e38383413f5a6764bf8"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/php-fig/cache/zipball/d11b50ad223250cf17b86e38383413f5a6764bf8",
"reference": "d11b50ad223250cf17b86e38383413f5a6764bf8",
"shasum": ""
},
"require": {
"php": ">=5.3.0"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "1.0.x-dev"
}
},
"autoload": {
"psr-4": {
"Psr\\Cache\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "PHP-FIG",
"homepage": "http://www.php-fig.org/"
}
],
"description": "Common interface for caching libraries",
"keywords": [
"cache",
"psr",
"psr-6"
],
"time": "2016-08-06T20:24:11+00:00"
},
{
"name": "psr/http-message",
"version": "1.0.1",
"source": {
"type": "git",
"url": "https://github.com/php-fig/http-message.git",
"reference": "f6561bf28d520154e4b0ec72be95418abe6d9363"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/php-fig/http-message/zipball/f6561bf28d520154e4b0ec72be95418abe6d9363",
"reference": "f6561bf28d520154e4b0ec72be95418abe6d9363",
"shasum": ""
},
"require": {
"php": ">=5.3.0"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "1.0.x-dev"
}
},
"autoload": {
"psr-4": {
"Psr\\Http\\Message\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "PHP-FIG",
"homepage": "http://www.php-fig.org/"
}
],
"description": "Common interface for HTTP messages",
"homepage": "https://github.com/php-fig/http-message",
"keywords": [
"http",
"http-message",
"psr",
"psr-7",
"request",
"response"
],
"time": "2016-08-06T14:39:51+00:00"
},
{
"name": "rapidwebltd/rw-file-cache",
"version": "v1.2.5",
"source": {
"type": "git",
"url": "https://github.com/rapidwebltd/RW-File-Cache.git",
"reference": "4a1d5aaefa6ffafec8e2d60787f12bcd9890977e"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/rapidwebltd/RW-File-Cache/zipball/4a1d5aaefa6ffafec8e2d60787f12bcd9890977e",
"reference": "4a1d5aaefa6ffafec8e2d60787f12bcd9890977e",
"shasum": ""
},
"require": {
"php": ">=5.2.1"
},
"require-dev": {
"phpunit/phpunit": "^5.7"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "1.0-dev"
}
},
"autoload": {
"psr-4": {
"rapidweb\\RWFileCache\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"LGPL-3.0-only"
],
"description": "RW File Cache is a PHP File-based Caching Library. Its syntax is designed to closely resemble the PHP memcache extension.",
"homepage": "https://github.com/rapidwebltd/RW-File-Cache",
"keywords": [
"cache",
"caching",
"caching library",
"file cache",
"library",
"php"
],
"time": "2018-01-23T17:20:58+00:00"
},
{
"name": "rapidwebltd/rw-file-cache-psr-6",
"version": "v1.0.0",
"source": {
"type": "git",
"url": "https://github.com/rapidwebltd/RW-File-Cache-PSR-6.git",
"reference": "b74ea201d4c964f0e6db0fb036d1ab28a570df66"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/rapidwebltd/RW-File-Cache-PSR-6/zipball/b74ea201d4c964f0e6db0fb036d1ab28a570df66",
"reference": "b74ea201d4c964f0e6db0fb036d1ab28a570df66",
"shasum": ""
},
"require": {
"psr/cache": "^1.0",
"rapidwebltd/rw-file-cache": "^1.2.3"
},
"require-dev": {
"cache/integration-tests": "^0.16.0",
"phpunit/phpunit": "^5.7"
},
"type": "library",
"autoload": {
"psr-4": {
"rapidweb\\RWFileCachePSR6\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"LGPL-3.0-only"
],
"authors": [
{
"name": "Jordan Hall",
"email": "jordan.hall@rapidweb.biz"
}
],
"description": "PSR-6 adapter for RW File Cache",
"time": "2018-01-30T19:13:45+00:00"
},
{
"name": "smarty/smarty",
"version": "v3.1.31",

View file

@ -41,6 +41,7 @@ Example: To set the automatic database cleanup process add this line to your .ht
* **diaspora_test** (Boolean) - For development only. Disables the message transfer.
* **disable_email_validation** (Boolean) - Disables the check if a mail address is in a valid format and can be resolved via DNS.
* **disable_url_validation** (Boolean) - Disables the DNS lookup of an URL.
* **disable_password_exposed** (Boolean) - Disable the exposition check against the remote haveibeenpwned API on password change. Default value is false.
* **dlogfile - location of the developer log file
* **dlogip - restricts develop log writes to requests originating from this IP address
* **frontend_worker_timeout** - Value in minutes after we think that a frontend task was killed by the webserver. Default value is 10.

View file

@ -388,13 +388,18 @@ function settings_post(App $a)
if (!x($newpass) || !x($confirm)) {
notice(L10n::t('Empty passwords are not allowed. Password unchanged.') . EOL);
$err = true;
}
}
// check if the old password was supplied correctly before changing it to the new value
if (!User::authenticate(intval(local_user()), $_POST['opassword'])) {
notice(L10n::t('Wrong password.') . EOL);
$err = true;
}
if (!Config::get('system', 'disable_password_exposed', false) && User::isPasswordExposed($newpass)) {
notice(L10n::t('The new password has been exposed in a public data dump, please choose another.') . EOL);
$err = true;
}
// check if the old password was supplied correctly before changing it to the new value
if (!User::authenticate(intval(local_user()), $_POST['opassword'])) {
notice(L10n::t('Wrong password.') . EOL);
$err = true;
}
if (!$err) {
$result = User::updatePassword(local_user(), $newpass);

View file

@ -5,6 +5,7 @@
*/
namespace Friendica\Model;
use DivineOmega\PasswordExposed\PasswordStatus;
use Friendica\Core\Addon;
use Friendica\Core\Config;
use Friendica\Core\L10n;
@ -22,6 +23,7 @@ use Friendica\Util\Network;
use dba;
use Exception;
use LightOpenID;
use function password_exposed;
require_once 'boot.php';
require_once 'include/dba.php';
@ -101,7 +103,7 @@ class User
* @param string $password
* @return int|boolean
* @deprecated since version 3.6
* @see Friendica\Model\User::getIdFromPasswordAuthentication()
* @see User::getIdFromPasswordAuthentication()
*/
public static function authenticate($user_info, $password)
{
@ -216,6 +218,17 @@ class User
return autoname(6) . mt_rand(100, 9999);
}
/**
* Checks if the provided plaintext password has been exposed or not
*
* @param string $password
* @return bool
*/
public static function isPasswordExposed($password)
{
return password_exposed($password) === PasswordStatus::EXPOSED;
}
/**
* Legacy hashing function, kept for password migration purposes
*