Bugfixes for password policy

2025-01-10 04:19:00 +02:00 · 2023-02-15 19:53:35 +01:00 · 2023-02-15 19:53:35 +01:00 · 8ee34bf428
commit 8ee34bf428
parent 66d5b5a697
5 changed files with 19 additions and 9 deletions
--- a/cps/admin.py
+++ b/cps/admin.py
@ -1798,7 +1798,10 @@ def _configuration_update_helper():
        _config_checkbox(to_save, "config_password_lower")
        _config_checkbox(to_save, "config_password_upper")
        _config_checkbox(to_save, "config_password_special")
-        _config_int(to_save, "config_password_min_length")
+        if 0 < int(to_save.get("config_password_min_length", "0")) < 41:
+            _config_int(to_save, "config_password_min_length")
+        else:
+            return _configuration_result(_('Password length has to be between 1 and 40'))
        reboot_required |= _config_int(to_save, "config_session")
        reboot_required |= _config_checkbox(to_save, "config_ratelimiter")

@ -2003,6 +2006,7 @@ def _handle_edit_user(to_save, content, languages, translations, kobo_support):
                content.name = check_username(to_save["name"])
            if to_save.get("kindle_mail") != content.kindle_mail:
                content.kindle_mail = valid_email(to_save["kindle_mail"]) if to_save["kindle_mail"] else ""
+            content.password = generate_password_hash(helper.valid_password(to_save.get("password", "")))
        except Exception as ex:
            log.error(ex)
            flash(str(ex), category="error")
--- a/cps/helper.py
+++ b/cps/helper.py
@ -612,7 +612,7 @@ def reset_password(user_id):
    if not config.get_mail_server_configured():
        return 2, None
    try:
-        password = generate_random_password()
+        password = generate_random_password(config.config_password_min_length)
        existing_user.password = generate_password_hash(password)
        ub.session.commit()
        send_registration_mail(existing_user.email, existing_user.name, password, True)
@ -622,9 +622,9 @@ def reset_password(user_id):
        return 0, None


-def generate_random_password():
+def generate_random_password(min_length):
    s = "abcdefghijklmnopqrstuvwxyz01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%&*()?"
-    passlen = 8
+    passlen = min_length
    return "".join(s[c % len(s)] for c in os.urandom(passlen))


--- a/cps/templates/config_edit.html
+++ b/cps/templates/config_edit.html
@ -382,7 +382,7 @@
            <div data-related="password_settings">
              <div class="form-group" style="margin-left:10px;">
                <label for="config_password_min_length">{{_('Minimum password length')}}</label>
-                <input type="number" min="0" max="40" class="form-control" name="config_password_min_length" id="config_password_min_length" value="{% if config.config_password_min_length != None %}{{ config.config_password_min_length }}{% endif %}" autocomplete="off" required>
+                <input type="number" min="1" max="40" class="form-control" name="config_password_min_length" id="config_password_min_length" value="{% if config.config_password_min_length != None %}{{ config.config_password_min_length }}{% endif %}" autocomplete="off" required>
              </div>
              <div class="form-group" style="margin-left:10px;">
                <input type="checkbox" id="config_password_number" name="config_password_number"  {% if config.config_password_number %}checked{% endif %}>
--- a/cps/ub.py
+++ b/cps/ub.py
@ -55,6 +55,7 @@ from werkzeug.security import generate_password_hash

 from . import constants, logger

+
 log = logger.create()

 session = None
@ -845,7 +846,12 @@ def init_db(app_db_path, user_credentials=None):
            if not password:
                print("Empty password is not allowed")
                sys.exit(4)
-            user.password = generate_password_hash(password)
+            try:
+                from .helper import valid_password
+                user.password = generate_password_hash(valid_password(password))
+            except Exception:
+                print("Password doesn't comply with password validation rules")
+                sys.exit(4)
            if session_commit() == "":
                print("Password for user '{}' changed".format(username))
                sys.exit(0)
--- a/cps/web.py
+++ b/cps/web.py
@ -1255,8 +1255,8 @@ def register_post():
    if check_valid_domain(email):
        content.name = nickname
        content.email = email
-        password = generate_random_password()
-        content.password = generate_password_hash(password)
+        password = generate_random_password(config.config_password_min_length)
+        content.password = generate_password_hash(valid_password(password))
        content.role = config.config_default_role
        content.locale = config.config_default_locale
        content.sidebar_view = config.config_default_show
@ -1412,7 +1412,7 @@ def change_profile(kobo_support, local_oauth_check, oauth_status, translations,
    try:
        if current_user.role_passwd() or current_user.role_admin():
            if to_save.get('password', "") != "":
-                current_user.password = generate_password_hash(to_save.get("password"))
+                current_user.password = generate_password_hash(valid_password(to_save.get("password", "")))
        if to_save.get("eReader_mail", current_user.kindle_mail) != current_user.kindle_mail:
            current_user.kindle_mail = valid_email(to_save.get("eReader_mail"))
        new_email = valid_email(to_save.get("email", current_user.email))