fix #12041 - Generate password

Secure the generate password method "perso". Now the system checks the minimum possible value. If the value entered is lower then the system will never trigger the update. Since the update is done through GET parameters, I also added a check backend wise. This checks should never be triggered nor in error. [see: #12041]
Dolibarr · Oct 4, 2019 · c8fb817 · c8fb817
1 parent 0b9d274
commit c8fb817
Showing 1 changed file with 25 additions and 11 deletions.
diff --git a/htdocs/admin/security.php b/htdocs/admin/security.php
@@ -170,9 +170,23 @@
 
 if ($action == 'maj_pattern')
 {
-	dolibarr_set_const($db, "USER_PASSWORD_PATTERN", GETPOST("pattern"), 'chaine', 0, '', $conf->entity);
-	header("Location: security.php");
-	exit;
+    $pattern = GETPOST("pattern");
+    $explodePattern = explode(';',$pattern);
+
+    $patternInError = false;
+    if($explodePattern[0] < 1 || $explodePattern[4] < 1){
+        $patternInError = true;
+    }
+
+    if($explodePattern[0] < $explodePattern[1] + $explodePattern[2] + $explodePattern[3]){
+        $patternInError = true;
+    }
+
+    if(!$patternInError){
+	    dolibarr_set_const($db, "USER_PASSWORD_PATTERN", $pattern, 'chaine', 0, '', $conf->entity);
+	    header("Location: security.php");
+	    exit;
+    }
 }
 
 
@@ -278,13 +292,6 @@
 
 
 	$tabConf = explode(";", $conf->global->USER_PASSWORD_PATTERN);
-	/*$this->length2 = $tabConf[0];
-	$this->NbMaj = $tabConf[1];
-	$this->NbNum = $tabConf[2];
-	$this->NbSpe = $tabConf[3];
-	$this->NbRepeat = $tabConf[4];
-	$this->WithoutAmbi = $tabConf[5];
-	*/
 	print '<br>';
 	print '<table class="noborder" width="100%">';
 	print '<tr class="liste_titre">';
@@ -318,7 +325,7 @@
 
 	print '<tr class="oddeven">';
 	print '<td>' . $langs->trans("NbIteConsecutive")."</td>";
-	print '<td colspan="2"><input type="number" value="'.$tabConf[4].'" id="NbIteConsecutive" min="0"></td>';
+	print '<td colspan="2"><input type="number" value="'.$tabConf[4].'" id="NbIteConsecutive" min="1"></td>';
 	print '</tr>';
 
 
@@ -350,6 +357,13 @@
 	print '	}';
 
 	print '	function valuePossible(){';
+	print '		var fields = ["#minlenght", "#NbMajMin", "#NbNumMin", "#NbSpeMin", "#NbIteConsecutive"];';
+	print '		for(var i = 0 ; i < fields.length ; i++){';
+	print '		    if($(fields[i]).val() < $(fields[i]).attr("min")){';
+	print '		        return false;';
+	print '		    }';
+	print '		}';
+	print '		';
 	print '		var length = parseInt($("#minlenght").val());';
 	print '		var length_mini = parseInt($("#NbMajMin").val()) + parseInt($("#NbNumMin").val()) + parseInt($("#NbSpeMin").val());';
 	print '		return length >= length_mini;';