Fix password length vulnerability

GHSA-3v6j-v3qc-cxff
getkirby · Jul 26, 2023 · 0e10ce3 · 0e10ce3
1 parent 2f06ba1
commit 0e10ce3
Show file tree

Hide file tree

Showing 33 changed files with 66 additions and 1 deletion.
diff --git a/i18n/translations/bg.json b/i18n/translations/bg.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Моля въведете валиден email адрес",
 	"error.user.language.invalid": "Моля въведете валиден език",
 	"error.user.notFound": "\u041f\u043e\u0442\u0440\u0435\u0431\u0438\u0442\u0435\u043b\u044f\u0442 \u043d\u0435 \u043c\u043e\u0436\u0435 \u0434\u0430 \u0431\u044a\u0434\u0435 \u043d\u0430\u043c\u0435\u0440\u0435\u043d.",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Моля въведете валидна парола. Тя трабва да съдържа поне 8 символа.",
 	"error.user.password.notSame": "\u041c\u043e\u043b\u044f, \u043f\u043e\u0442\u0432\u044a\u0440\u0434\u0435\u0442\u0435 \u043f\u0430\u0440\u043e\u043b\u0430\u0442\u0430",
 	"error.user.password.undefined": "Потребителят няма парола",

diff --git a/i18n/translations/ca.json b/i18n/translations/ca.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Si us plau, introdueix una adreça de correu electrònic vàlida",
 	"error.user.language.invalid": "Introduïu un idioma vàlid",
 	"error.user.notFound": "L'usuari \"{name}\" no s'ha trobat",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Introduïu una contrasenya vàlida. Les contrasenyes han de tenir com a mínim 8 caràcters.",
 	"error.user.password.notSame": "Les contrasenyes no coincideixen",
 	"error.user.password.undefined": "L'usuari no té una contrasenya",

diff --git a/i18n/translations/cs.json b/i18n/translations/cs.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Zadejte prosím platnou emailovou adresu",
 	"error.user.language.invalid": "Zadejte prosím platný jazyk",
 	"error.user.notFound": "U\u017eivatele se nepoda\u0159ilo nal\u00e9zt",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Zadejte prosím platné heslo. Heslo musí být dlouhé alespoň 8 znaků.",
 	"error.user.password.notSame": "Pros\u00edm potvr\u010fte heslo",
 	"error.user.password.undefined": "Uživatel nemá nastavené heslo.",

diff --git a/i18n/translations/da.json b/i18n/translations/da.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Indtast venligst en gyldig email adresse",
 	"error.user.language.invalid": "Indtast venligst et gyldigt sprog",
 	"error.user.notFound": "Brugeren kunne ikke findes",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Indtast venligst en gyldig adgangskode. Adgangskoder skal minimum være 8 tegn lange.",
 	"error.user.password.notSame": "Bekr\u00e6ft venligst adgangskoden",
 	"error.user.password.undefined": "Brugeren har ikke en adgangskode",

diff --git a/i18n/translations/de.json b/i18n/translations/de.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Bitte gib eine gültige E-Mailadresse an",
 	"error.user.language.invalid": "Bitte gib eine gültige Sprache an",
 	"error.user.notFound": "Der Account \"{name}\" wurde nicht gefunden",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Bitte gib ein gültiges Passwort ein. Passwörter müssen mindestens 8 Zeichen lang sein.",
 	"error.user.password.notSame": "Die Passwörter stimmen nicht überein",
 	"error.user.password.undefined": "Der Account hat kein Passwort",

diff --git a/i18n/translations/el.json b/i18n/translations/el.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Παρακαλώ εισάγετε μια έγκυρη διεύθυνση ηλεκτρονικού ταχυδρομείου",
 	"error.user.language.invalid": "Παρακαλώ εισαγάγετε μια έγκυρη γλώσσα",
 	"error.user.notFound": "Δεν είναι δυνατή η εύρεση του χρήστη \"{name}\"",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Παρακαλώ εισάγετε έναν έγκυρο κωδικό πρόσβασης. Οι κωδικοί πρόσβασης πρέπει να έχουν μήκος τουλάχιστον 8 χαρακτήρων.",
 	"error.user.password.notSame": "\u03a0\u03b1\u03c1\u03b1\u03ba\u03b1\u03bb\u03bf\u03cd\u03bc\u03b5 \u03b5\u03c0\u03b9\u03b2\u03b5\u03b2\u03b1\u03b9\u03ce\u03c3\u03c4\u03b5 \u03c4\u03bf\u03bd \u039a\u03c9\u03b4\u03b9\u03ba\u03cc \u03a0\u03c1\u03cc\u03c3\u03b2\u03b1\u03c3\u03b7\u03c2",
 	"error.user.password.undefined": "Ο χρήστης δεν έχει κωδικό πρόσβασης",

diff --git a/i18n/translations/en.json b/i18n/translations/en.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Please enter a valid email address",
 	"error.user.language.invalid": "Please enter a valid language",
 	"error.user.notFound": "The user \"{name}\" cannot be found",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Please enter a valid password. Passwords must be at least 8 characters long.",
 	"error.user.password.notSame": "The passwords do not match",
 	"error.user.password.undefined": "The user does not have a password",

diff --git a/i18n/translations/eo.json b/i18n/translations/eo.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Bonvolu entajpi validan retpoŝtadreson",
 	"error.user.language.invalid": "Bonvolu entajpi validan lingvon",
 	"error.user.notFound": "La uzanto \"{name}\" ne troveblas",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Bonvolu entajpi validan pasvorton. Pasvortoj devas esti almenaŭ 8 literojn longaj.",
 	"error.user.password.notSame": "La pasvortoj ne estas kongruantaj",
 	"error.user.password.undefined": "La uzanto ne havas pasvorton",

diff --git a/i18n/translations/es_419.json b/i18n/translations/es_419.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Por favor ingresa un correo electrónico valido",
 	"error.user.language.invalid": "Por favor ingresa un idioma valido",
 	"error.user.notFound": "El usuario no pudo ser encontrado",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Por favor ingresa una contraseña valida. Las contraseñas deben tener al menos 8 caracteres de largo.",
 	"error.user.password.notSame": "Por favor confirma la contrase\u00f1a",
 	"error.user.password.undefined": "El usuario no tiene contraseña",

diff --git a/i18n/translations/es_ES.json b/i18n/translations/es_ES.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Por favor, introduce una dirección de correo electrónico válida",
 	"error.user.language.invalid": "Por favor, introduce un idioma válido",
 	"error.user.notFound": "No se puede encontrar el usuario \"{name}\"",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Por favor, introduce una contraseña válida. Las contraseñas deben tener al menos 8 caracteres de largo.",
 	"error.user.password.notSame": "Las contraseñas no coinciden",
 	"error.user.password.undefined": "El usuario no tiene contraseña",

diff --git a/i18n/translations/fa.json b/i18n/translations/fa.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "لطفا یک ایمیل معتبر وارد کنید",
 	"error.user.language.invalid": "لطفا زبان معتبری انتخاب کنید",
 	"error.user.notFound": "کاربر «{name}» پیدا نشد",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "لطفا گذرواژه صحیحی با حداقل طول 8 حرف وارد کنید. ",
 	"error.user.password.notSame": "\u0644\u0637\u0641\u0627 \u062a\u06a9\u0631\u0627\u0631 \u06af\u0630\u0631\u0648\u0627\u0698\u0647 \u0631\u0627 \u0648\u0627\u0631\u062f \u0646\u0645\u0627\u06cc\u06cc\u062f",
 	"error.user.password.undefined": "کاربر فاقد گذرواژه است",

diff --git a/i18n/translations/fi.json b/i18n/translations/fi.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Anna kelpaava sähköpostiosoite",
 	"error.user.language.invalid": "Anna kelpaava kieli",
 	"error.user.notFound": "K\u00e4ytt\u00e4j\u00e4\u00e4 ei l\u00f6ytynyt",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Anna kelpaava salasana. Salasanan täytyy olla ainakin 8 merkkiä pitkä.",
 	"error.user.password.notSame": "Salasanat eivät täsmää",
 	"error.user.password.undefined": "Käyttäjällä ei ole salasanaa",

diff --git a/i18n/translations/fr.json b/i18n/translations/fr.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Veuillez saisir un courriel valide",
 	"error.user.language.invalid": "Veuillez saisir une langue valide",
 	"error.user.notFound": "L’utilisateur « {name} » n’a pu être trouvé",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Veuillez saisir un mot de passe valide. Les mots de passe doivent comporter au moins 8 caractères.",
 	"error.user.password.notSame": "Les mots de passe ne sont pas identiques",
 	"error.user.password.undefined": "Cet utilisateur n’a pas de mot de passe",

diff --git a/i18n/translations/hu.json b/i18n/translations/hu.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Kérlek adj meg egy valós email-címet",
 	"error.user.language.invalid": "Kérlek add meg a megfelelő nyelvi beállítást",
 	"error.user.notFound": "A felhaszn\u00e1l\u00f3 nem tal\u00e1lhat\u00f3",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Kérlek adj meg egy megfelelő jelszót. A jelszónak legalább 8 karakter hosszúságúnak kell lennie.",
 	"error.user.password.notSame": "K\u00e9rlek er\u0151s\u00edtsd meg a jelsz\u00f3t",
 	"error.user.password.undefined": "A felhasználónak nincs jelszó megadva",

diff --git a/i18n/translations/id.json b/i18n/translations/id.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Masukkan surel yang valid",
 	"error.user.language.invalid": "Masukkan bahasa yang valid",
 	"error.user.notFound": "Pengguna \"{name}\" tidak dapat ditemukan",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Masukkan sandi yang valid. Sandi setidaknya mengandung 8 karakter.",
 	"error.user.password.notSame": "Sandi tidak cocok",
 	"error.user.password.undefined": "Pengguna tidak memiliki sandi",

diff --git a/i18n/translations/is_IS.json b/i18n/translations/is_IS.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Vinsamlegast ákjósanlegt netfang",
 	"error.user.language.invalid": "Vinsamlegast ákjósanlegt tungumál",
 	"error.user.notFound": "Þessi notandi; \"{name}\" fannst ekki",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Veldu ákjósanlegt lykilorð. Minnst 8 stafa langt.",
 	"error.user.password.notSame": "Lykilorðin stemma ekki",
 	"error.user.password.undefined": "Þessi notandi hefur ekki lykilorð",

diff --git a/i18n/translations/it.json b/i18n/translations/it.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Inserisci un indirizzo email valido",
 	"error.user.language.invalid": "Inserisci una lingua valida",
 	"error.user.notFound": "L'utente non \u00e8 stato trovato",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Per favore inserisci una password valida. Le password devono essere lunghe almeno 8 caratteri",
 	"error.user.password.notSame": "Le password non corrispondono",
 	"error.user.password.undefined": "L'utente non ha una password",

diff --git a/i18n/translations/ko.json b/i18n/translations/ko.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "올바른 이메일 주소를 입력하세요.",
 	"error.user.language.invalid": "올바른 언어를 입력하세요.",
 	"error.user.notFound": "사용자({name})가 없습니다.",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "암호를 8자 이상으로 설정하세요.",
 	"error.user.password.notSame": "\uc554\ud638\ub97c \ud655\uc778\ud558\uc138\uc694.",
 	"error.user.password.undefined": "암호가 설정되지 않았습니다.",

diff --git a/i18n/translations/lt.json b/i18n/translations/lt.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Įrašykite teisingą el. pašto adresą",
 	"error.user.language.invalid": "Įrašykite teisingą kalbą",
 	"error.user.notFound": "Vartotojas \"{name}\" nerastas",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Prašome įrašyti galiojantį slaptažodį. Slaptažodį turi sudaryti bent 8 simboliai.",
 	"error.user.password.notSame": "Slaptažodžiai nesutampa",
 	"error.user.password.undefined": "Vartotojas neturi slaptažodžio",

diff --git a/i18n/translations/nb.json b/i18n/translations/nb.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Vennligst skriv inn en gyldig e-postadresse",
 	"error.user.language.invalid": "Vennligst skriv inn et gyldig språk",
 	"error.user.notFound": "Brukeren kunne ikke bli funnet",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Vennligst skriv inn et gyldig passord. Passordet må minst være 8 tegn langt.",
 	"error.user.password.notSame": "Vennligst bekreft passordet",
 	"error.user.password.undefined": "Brukeren har ikke et passord",

diff --git a/i18n/translations/nl.json b/i18n/translations/nl.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Gelieve een geldig emailadres in te voeren",
 	"error.user.language.invalid": "Gelieve een geldige taal in te voeren",
 	"error.user.notFound": "De gebruiker \"{name}\" kan niet worden gevonden",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Gelieve een geldig wachtwoord in te voeren. Wachtwoorden moeten minstens 8 karakters lang zijn.",
 	"error.user.password.notSame": "De wachtwoorden komen niet overeen",
 	"error.user.password.undefined": "De gebruiker heeft geen wachtwoord",

diff --git a/i18n/translations/pl.json b/i18n/translations/pl.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Wprowadź poprawny adres email",
 	"error.user.language.invalid": "Proszę podać poprawny język",
 	"error.user.notFound": "Nie można znaleźć użytkownika \"{name}\"",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Wprowadź prawidłowe hasło. Hasła muszą mieć co najmniej 8 znaków.",
 	"error.user.password.notSame": "Hasła nie są takie same",
 	"error.user.password.undefined": "Użytkownik nie ma hasła",

diff --git a/i18n/translations/pt_BR.json b/i18n/translations/pt_BR.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Digite um endereço de email válido",
 	"error.user.language.invalid": "Digite um idioma válido",
 	"error.user.notFound": "Usuário \"{name}\" não encontrado",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Digite uma senha válida. Sua senha deve ter pelo menos 8 caracteres.",
 	"error.user.password.notSame": "As senhas não combinam",
 	"error.user.password.undefined": "O usuário não possui uma senha",

diff --git a/i18n/translations/pt_PT.json b/i18n/translations/pt_PT.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Digite um endereço de email válido",
 	"error.user.language.invalid": "Digite um idioma válido",
 	"error.user.notFound": "Utilizador \"{name}\" não encontrado",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Digite uma palavra-passe válida. A sua palavra-passe deve ter pelo menos 8 caracteres.",
 	"error.user.password.notSame": "As palavras-passe não combinam",
 	"error.user.password.undefined": "O utilizador não possui uma palavra-passe",

diff --git a/i18n/translations/ro.json b/i18n/translations/ro.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Te rog introdu o adresă de e-mail validă",
 	"error.user.language.invalid": "Te rog introdu o limbă validă",
 	"error.user.notFound": "Utilizatorul \"{name}\" nu a fost găsit",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Te rog introdu o parolă validă. Parola trebuie să aibă cel puțin 8 caractere.",
 	"error.user.password.notSame": "Parolele nu se potrivesc",
 	"error.user.password.undefined": "Utilizatorul nu are parolă",

diff --git a/i18n/translations/ru.json b/i18n/translations/ru.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Пожалуйста, введите правильный адрес эл. почты",
 	"error.user.language.invalid": "Введите правильный язык",
 	"error.user.notFound": "Пользователь \"{name}\" не найден",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Пожалуйста, введите правильный пароль. Он должен состоять минимум из 8 символов.",
 	"error.user.password.notSame": "\u041f\u043e\u0436\u0430\u043b\u0443\u0439\u0441\u0442\u0430, \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u0442\u0435 \u043f\u0430\u0440\u043e\u043b\u044c",
 	"error.user.password.undefined": "У пользователя нет пароля",

diff --git a/i18n/translations/sk.json b/i18n/translations/sk.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Prosím, zadajte platnú e-mailovú adresu",
 	"error.user.language.invalid": "Prosím, zadajte platný jazyk",
 	"error.user.notFound": "Užívateľa \"{name}\" nie je možné nájsť",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Prosím, zadajte platné heslo. Dĺžka hesla musí byť aspoň 8 znakov.",
 	"error.user.password.notSame": "Heslá nie sú rovnaké",
 	"error.user.password.undefined": "Užívateľ nemá heslo",

diff --git a/i18n/translations/sv_SE.json b/i18n/translations/sv_SE.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Ange en giltig e-postadress",
 	"error.user.language.invalid": "Ange ett giltigt språk",
 	"error.user.notFound": "Användaren \"{name}\" kan ej hittas",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Ange ett giltigt lösenord. Lösenordet måste vara minst 8 tecken långt.",
 	"error.user.password.notSame": "Lösenorden matchar inte",
 	"error.user.password.undefined": "Användaren har inget lösenord",

diff --git a/i18n/translations/tr.json b/i18n/translations/tr.json
@@ -183,6 +183,7 @@
 	"error.user.email.invalid": "Lütfen geçerli bir e-posta adresi girin",
 	"error.user.language.invalid": "Lütfen geçerli bir dil girin",
 	"error.user.notFound": "\"{name}\" kullanıcısı bulunamadı",
+	"error.user.password.excessive": "Please enter a valid password. Passwords must not be longer than 1000 characters.",
 	"error.user.password.invalid": "Lütfen geçerli bir şifre giriniz. Şifreler en az 8 karakter uzunluğunda olmalıdır.",
 	"error.user.password.notSame": "L\u00fctfen \u015fifreyi do\u011frulay\u0131n",
 	"error.user.password.undefined": "Bu kullanıcının şifresi yok",

diff --git a/src/Cms/User.php b/src/Cms/User.php
@@ -864,10 +864,17 @@ public function validatePassword(
 			throw new NotFoundException(['key' => 'user.password.undefined']);
 		}
 
+		// `UserRules` enforces a minimum length of 8 characters,
+		// so everything below that is a typo
 		if (Str::length($password) < 8) {
 			throw new InvalidArgumentException(['key' => 'user.password.invalid']);
 		}
 
+		// too long passwords can cause DoS attacks
+		if (Str::length($password) > 1000) {
+			throw new InvalidArgumentException(['key' => 'user.password.excessive']);
+		}
+
 		if (password_verify($password, $this->password()) !== true) {
 			throw new InvalidArgumentException(['key' => 'user.password.wrong', 'httpCode' => 401]);
 		}

diff --git a/src/Cms/UserRules.php b/src/Cms/UserRules.php
@@ -341,12 +341,23 @@ public static function validPassword(
 		#[SensitiveParameter]
 		string $password
 	): bool {
+		// too short passwords are ineffective
 		if (Str::length($password ?? null) < 8) {
 			throw new InvalidArgumentException([
 				'key' => 'user.password.invalid',
 			]);
 		}
 
+		// too long passwords can cause DoS attacks
+		// and are therefore blocked in the auth system
+		// (blocked here as well to avoid passwords
+		// that cannot be used to log in)
+		if (Str::length($password ?? null) > 1000) {
+			throw new InvalidArgumentException([
+				'key' => 'user.password.excessive',
+			]);
+		}
+
 		return true;
 	}