Fix #13163: Remove limitation on password length with MD5 authentication

A new function auth_get_password_max_size was added in authentication_api.php,
to return the maximum length of the password, taking the login method into
consideration: limited to the database field size (PASSLEN) for PLAIN and
BASIC_AUTH, or to new constant MAX_PASSWORD_SIZE for other, hash-based methods.

The return value is used to define the maxlength attribute of all the password
fields.

account_page.php

@@ -154,7 +154,7 @@
 			<?php } ?>
 		</td>
 		<td>
-			<input type="password" size="32" maxlength="<?php echo PASSLEN;?>" name="password" />
+			<input type="password" size="32" maxlength="<?php echo auth_get_password_max_size(); ?>" name="password" />
 		</td>
 	</tr>
 
@@ -169,7 +169,7 @@
 			<?php } ?>
 		</td>
 		<td>
-			<input type="password" size="32" maxlength="<?php echo PASSLEN;?>" name="password_confirm" />
+			<input type="password" size="32" maxlength="<?php echo auth_get_password_max_size(); ?>" name="password_confirm" />
 		</td>
 	</tr>
 

core/authentication_api.php

@@ -328,6 +328,29 @@ function auth_automatic_logon_bypass_form() {
 	return false;
 }
 
+/**
+ * Return the user's password maximum length
+ *
+ * @return int
+ * @param int $p_field_size size of the field, defaults to 32
+ * @access public
+ */
+function auth_get_password_max_size() {
+
+	switch( config_get( 'login_method' ) ) {
+
+	    # Max password size cannot be bigger than the database field
+		case PLAIN:
+		case BASIC_AUTH:
+			return PASSLEN;
+
+		# Not sure how to handle HTTP_AUTH
+		# All other cases, i.e. password is stored as a hash
+		default:
+			return PASSWORD_MAX_SIZE;
+	}
+}
+
 /**
  * Return true if the password for the user id given matches the given
  * password (taking into account the global login method)
@@ -412,7 +435,7 @@ function auth_process_plain_password( $p_password, $p_salt = null, $p_method = n
 			break;
 	}
 
-	# cut this off to PASSLEN cahracters which the largest possible string in the database
+	# cut this off to PASSLEN characters which the largest possible string in the database
 	return utf8_substr( $t_processed_password, 0, PASSLEN );
 }
 
@@ -696,7 +719,7 @@ function auth_reauthenticate_page( $p_user_id, $p_username ) {
 
 <tr class="row-2">
 	<td class="category"><?php echo lang_get( 'password' );?></td>
-	<td><input type="password" name="password" size="16" maxlength="<?php echo PASSLEN;?>" /></td>
+	<td><input type="password" name="password" size="32" maxlength="<?php echo auth_get_password_max_size(); ?>" /></td>
 </tr>
 
 <tr>

core/constant_inc.php

@@ -525,4 +525,7 @@
 define( 'REALLEN', 64);
 define( 'PASSLEN', 32);
 
+# Maximum size for the user's password when storing it as a hash
+define( 'PASSWORD_MAX_SIZE', 1024 );
+
 define( 'SECONDS_PER_DAY', 86400 );

login_page.php

@@ -129,7 +129,7 @@
 		<?php echo lang_get( 'password' ) ?>
 	</td>
 	<td>
-		<input type="password" name="password" size="16" maxlength="<?php echo PASSLEN;?>" />
+		<input type="password" name="password" size="28" maxlength="<?php echo auth_get_password_max_size(); ?>" />
 	</td>
 </tr>
 <tr class="row-1">

manage_user_create_page.php

@@ -87,15 +87,15 @@
 		<?php echo lang_get( 'password' ) ?>
 	</td>
 	<td>
-		<input type="password" name="password" size="32" maxlength="<?php echo PASSLEN;?>" />
+		<input type="password" name="password" size="32" maxlength="<?php echo auth_get_password_max_size(); ?>" />
 	</td>
 </tr>
 <tr <?php echo helper_alternate_class() ?>>
 	<td class="category">
 		<?php echo lang_get( 'verify_password' ) ?>
 	</td>
 	<td>
-		<input type="password" name="password_verify" size="32" maxlength="<?php echo PASSLEN;?>" />
+		<input type="password" name="password_verify" size="32" maxlength="<?php echo auth_get_password_max_size(); ?>" />
 	</td>
 </tr>
 <?php