issue: Password Length

This addresses an issue reported by @manavparekh where allowing excessively lengthy passwords is not a good idea. CVE-2023-30082
osTicket · Jun 12, 2023 · 7bbe076 · 7bbe076
1 parent f7dd4a7
commit 7bbe076
Show file tree

Hide file tree

Showing 12 changed files with 30 additions and 17 deletions.
diff --git a/include/class.auth.php b/include/class.auth.php
@@ -1622,9 +1622,13 @@ function onLogin($user, $password) {
     }
 
     function onSet($passwd, $current) {
-        if (strlen($passwd) < 6) {
+        $pwdlen = strlen($passwd);
+        if ($pwdlen < 6) {
             throw new BadPassword(
                 __('Password must be at least 6 characters'));
+        } elseif ($pwdlen > 128) {
+            throw new BadPassword(
+                sprintf('%s - %s', __('Password is too long'), __('maximum of 128 characters allowed')));
         }
         // XXX: Changing case is technicall changing the password
         if (0 === strcasecmp($passwd, $current)) {

diff --git a/include/class.forms.php b/include/class.forms.php
@@ -1541,7 +1541,7 @@ function($a, &$b) { return true; }
                 function($v) use ($config) {
                     $regex = $config['regex'];
                     return @preg_match($regex, $v);
-                }, __('Value does not match required pattern')
+                }, $config['validator-error'] ?? __('Value does not match required pattern')
             ),
         );
         // Support configuration forms, as well as GUI-based form fields

diff --git a/include/class.staff.php b/include/class.staff.php
@@ -1503,6 +1503,7 @@ function buildFields() {
                 'required' => true,
                 'configuration' => array(
                     'classes' => 'span12',
+                    'length' => '128',
                 ),
                 'visibility' => new VisibilityConstraint(
                     new Q(array('welcome_email' => false)),
@@ -1522,6 +1523,7 @@ function buildFields() {
                 'required' => true,
                 'configuration' => array(
                     'classes' => 'span12',
+                    'length' => '128',
                 ),
                 'visibility' => new VisibilityConstraint(
                     new Q(array('welcome_email' => false)),
@@ -1565,13 +1567,17 @@ function buildFields() {
                 'required' => true,
                 'configuration' => array(
                     'autofocus' => true,
+                    'length' => '128',
                 ),
                 'validator' => 'noop',
             )),
             'passwd1' => new PasswordField(array(
                 'label' => __('Enter a new password'),
                 'placeholder' => __('New Password'),
                 'required' => true,
+                'configuration' => array(
+                    'length' => '128',
+                ),
                 'validator' => '',
                 'validators' => function($self, $v) {
                     try {
@@ -1584,6 +1590,9 @@ function buildFields() {
             'passwd2' => new PasswordField(array(
                 'placeholder' => __('Confirm Password'),
                 'required' => true,
+                'configuration' => array(
+                    'length' => '128',
+                ),
                 'validator' => '',
                 'validators' => function($self, $v) {
                     try {

diff --git a/include/client/login.inc.php b/include/client/login.inc.php
@@ -26,7 +26,7 @@
         <input id="username" placeholder="<?php echo __('Email or Username'); ?>" type="text" name="luser" size="30" value="<?php echo $email; ?>" class="nowarn">
     </div>
     <div>
-        <input id="passwd" placeholder="<?php echo __('Password'); ?>" type="password" name="lpasswd" size="30" value="<?php echo $passwd; ?>" class="nowarn"></td>
+        <input id="passwd" placeholder="<?php echo __('Password'); ?>" type="password" name="lpasswd" size="30" maxlength="128" value="<?php echo $passwd; ?>" class="nowarn"></td>
     </div>
     <p>
         <input class="btn" type="submit" value="<?php echo __('Sign In'); ?>">

diff --git a/include/client/profile.inc.php b/include/client/profile.inc.php
@@ -64,7 +64,7 @@
         <?php echo __('Current Password'); ?>:
     </td>
     <td>
-        <input type="password" size="18" name="cpasswd" value="<?php echo $info['cpasswd']; ?>">
+        <input type="password" size="18" name="cpasswd" maxlength="128" value="<?php echo $info['cpasswd']; ?>">
         &nbsp;<span class="error">&nbsp;<?php echo $errors['cpasswd']; ?></span>
     </td>
 </tr>
@@ -74,7 +74,7 @@
         <?php echo __('New Password'); ?>:
     </td>
     <td>
-        <input type="password" size="18" name="passwd1" value="<?php echo $info['passwd1']; ?>">
+        <input type="password" size="18" name="passwd1" maxlength="128" value="<?php echo $info['passwd1']; ?>">
         &nbsp;<span class="error">&nbsp;<?php echo $errors['passwd1']; ?></span>
     </td>
 </tr>
@@ -83,7 +83,7 @@
         <?php echo __('Confirm New Password'); ?>:
     </td>
     <td>
-        <input type="password" size="18" name="passwd2" value="<?php echo $info['passwd2']; ?>">
+        <input type="password" size="18" name="passwd2" maxlength="128" value="<?php echo $info['passwd2']; ?>">
         &nbsp;<span class="error">&nbsp;<?php echo $errors['passwd2']; ?></span>
     </td>
 </tr>

diff --git a/include/client/register.inc.php b/include/client/register.inc.php
@@ -74,7 +74,7 @@
         <?php echo __('Create a Password'); ?>:
     </td>
     <td>
-        <input type="password" size="18" name="passwd1" value="<?php echo $info['passwd1']; ?>">
+        <input type="password" size="18" name="passwd1" maxlength="128" value="<?php echo $info['passwd1']; ?>">
         &nbsp;<span class="error">&nbsp;<?php echo $errors['passwd1']; ?></span>
     </td>
 </tr>
@@ -83,7 +83,7 @@
         <?php echo __('Confirm New Password'); ?>:
     </td>
     <td>
-        <input type="password" size="18" name="passwd2" value="<?php echo $info['passwd2']; ?>">
+        <input type="password" size="18" name="passwd2" maxlength="128" value="<?php echo $info['passwd2']; ?>">
         &nbsp;<span class="error">&nbsp;<?php echo $errors['passwd2']; ?></span>
     </td>
 </tr>

diff --git a/include/staff/login.tpl.php b/include/staff/login.tpl.php
@@ -45,7 +45,7 @@
             <input type="text" name="userid" id="name" value="<?php
                 echo $info['userid'] ?? null; ?>" placeholder="<?php echo __('Email or Username'); ?>"
                 autofocus autocorrect="off" autocapitalize="off">
-            <input type="password" name="passwd" id="pass" placeholder="<?php echo __('Password'); ?>" autocorrect="off" autocapitalize="off">
+            <input type="password" name="passwd" id="pass" maxlength="128" placeholder="<?php echo __('Password'); ?>" autocorrect="off" autocapitalize="off">
                 <h3 style="display:inline"><a id="reset-link" class="<?php
                     if (!$show_reset || !$cfg->allowPasswordReset()) echo 'hidden';
                     ?>" href="pwreset.php"><?php echo __('Forgot My Password'); ?></a></h3>

diff --git a/include/staff/templates/user-account.tmpl.php b/include/staff/templates/user-account.tmpl.php
@@ -104,7 +104,7 @@
                     <?php echo __('New Password'); ?>:
                 </td>
                 <td>
-                    <input type="password" size="35" name="passwd1" value="<?php echo $info['passwd1']; ?>" autocomplete="new-password">
+                    <input type="password" size="35" name="passwd1" maxlength="128" value="<?php echo $info['passwd1']; ?>" autocomplete="new-password">
                     &nbsp;<span class="error">&nbsp;<?php echo
                     $errors['passwd1']; ?></span>
                 </td>
@@ -114,7 +114,7 @@
                    <?php echo __('Confirm Password'); ?>:
                 </td>
                 <td>
-                    <input type="password" size="35" name="passwd2" value="<?php echo $info['passwd2']; ?>" autocomplete="new-password">
+                    <input type="password" size="35" name="passwd2" maxlength="128" value="<?php echo $info['passwd2']; ?>" autocomplete="new-password">
                     &nbsp;<span class="error">&nbsp;<?php echo $errors['passwd2']; ?></span>
                 </td>
             </tr>

diff --git a/include/staff/templates/user-register.tmpl.php b/include/staff/templates/user-register.tmpl.php
@@ -94,7 +94,7 @@
                     <?php echo __('Temporary Password'); ?>:
                 </td>
                 <td>
-                    <input type="password" size="35" name="passwd1" value="<?php echo $info['passwd1']; ?>">
+                    <input type="password" size="35" name="passwd1" maxlength="128" value="<?php echo $info['passwd1']; ?>">
                     &nbsp;<span class="error">&nbsp;<?php echo
                     $errors['passwd1']; ?></span>
                 </td>
@@ -104,7 +104,7 @@
                    <?php echo __('Confirm Password'); ?>:
                 </td>
                 <td>
-                    <input type="password" size="35" name="passwd2" value="<?php echo $info['passwd2']; ?>">
+                    <input type="password" size="35" name="passwd2" maxlength="128" value="<?php echo $info['passwd2']; ?>">
                     &nbsp;<span class="error">&nbsp;<?php echo $errors['passwd2']; ?></span>
                 </td>
             </tr>

diff --git a/login.php b/login.php
@@ -49,7 +49,7 @@
     if (!$_POST['luser'])
         $errors['err'] = __('Valid username or email address is required');
     elseif (($user = UserAuthenticationBackend::process(trim($_POST['luser']),
-            $_POST['lpasswd'], $errors))) {
+            substr($_POST['lpasswd'], 0, 128), $errors))) {
         if ($user instanceof ClientCreateRequest) {
             if ($cfg && $cfg->isClientRegistrationEnabled()) {
                 // Attempt to automatically register

diff --git a/scp/login.php b/scp/login.php
@@ -69,7 +69,7 @@
     // Lookup support backends for this staff
     $username = trim($_POST['userid']);
     if ($user = StaffAuthenticationBackend::process($username,
-            $_POST['passwd'], $errors)) {
+            substr($_POST['passwd'], 0, 128), $errors)) {
         $redirect($user->isValid() ? $dest : 'login.php');
     }
 

diff --git a/setup/inc/install.inc.php b/setup/inc/install.inc.php
@@ -68,13 +68,13 @@
                 </div>
                 <div class="row">
                     <label><?php echo __('Password');?>:</label>
-                    <input type="password" name="passwd" size="45" tabindex="7" value="<?php echo $info['passwd']; ?>" autocomplete="off">
+                    <input type="password" name="passwd" size="45" maxlength="128" tabindex="7" value="<?php echo $info['passwd']; ?>" autocomplete="off">
                     <a class="tip" href="#password"><i class="icon-question-sign help-tip"></i></a>
                     <font class="error"><?php echo $errors['passwd']; ?></font>
                 </div>
                 <div class="row">
                     <label><?php echo __('Retype Password');?>:</label>
-                    <input type="password" name="passwd2" size="45" tabindex="8" value="<?php echo $info['passwd2']; ?>">
+                    <input type="password" name="passwd2" size="45" maxlength="128" tabindex="8" value="<?php echo $info['passwd2']; ?>">
                     <a class="tip" href="#password2"><i class="icon-question-sign help-tip"></i></a>
                     <font class="error"><?php echo $errors['passwd2']; ?></font>
                 </div>