diff options
| author | Thomas Steur <tsteur@users.noreply.github.com> | 2018-11-01 15:51:30 +0300 |
|---|---|---|
| committer | Stefan Giehl <stefan@piwik.org> | 2018-11-01 15:51:30 +0300 |
| commit | 5aed978ed284d81cd8e046498588b17d0592d3e0 (patch) | |
| tree | 26e18ca1eba6147bfeb3c7d2cb181eef1b1e0465 /plugins/UsersManager | |
| parent | 99801f33dc7c60021f044509301412f335b744cd (diff) | |
Limit password length (#13494)
Diffstat (limited to 'plugins/UsersManager')
| -rw-r--r-- | plugins/UsersManager/UsersManager.php | 4 | ||||
| -rw-r--r-- | plugins/UsersManager/lang/en.json | 1 | ||||
| -rw-r--r-- | plugins/UsersManager/tests/Integration/APITest.php | 9 |
3 files changed, 14 insertions, 0 deletions
diff --git a/plugins/UsersManager/UsersManager.php b/plugins/UsersManager/UsersManager.php index 6f5c881001..1dd7d3b9bb 100644 --- a/plugins/UsersManager/UsersManager.php +++ b/plugins/UsersManager/UsersManager.php @@ -25,6 +25,7 @@ use Piwik\SettingsPiwik; class UsersManager extends \Piwik\Plugin { const PASSWORD_MIN_LENGTH = 6; + const PASSWORD_MAX_LENGTH = 200; /** * @see \Piwik\Plugin::registerEvents @@ -186,6 +187,9 @@ class UsersManager extends \Piwik\Plugin if (!self::isValidPasswordString($password)) { throw new Exception(Piwik::translate('UsersManager_ExceptionInvalidPassword', array(self::PASSWORD_MIN_LENGTH))); } + if (Common::mb_strlen($password) > self::PASSWORD_MAX_LENGTH) { + throw new Exception(Piwik::translate('UsersManager_ExceptionInvalidPasswordTooLong', array(self::PASSWORD_MAX_LENGTH))); + } } public static function getPasswordHash($password) diff --git a/plugins/UsersManager/lang/en.json b/plugins/UsersManager/lang/en.json index 4a5af09f02..62944443e4 100644 --- a/plugins/UsersManager/lang/en.json +++ b/plugins/UsersManager/lang/en.json @@ -35,6 +35,7 @@ "ExceptionInvalidEmail": "The email doesn't have a valid format.", "ExceptionInvalidLoginFormat": "The username must be between %1$s and %2$s characters long and contain only letters, numbers, or the characters '_' or '-' or '.' or '@' or '+'", "ExceptionInvalidPassword": "The password length must be greater than %1$s characters.", + "ExceptionInvalidPasswordTooLong": "The password length must be less than %1$s characters.", "ExceptionLoginExists": "Username '%s' already exists.", "ExceptionPasswordMD5HashExpected": "UsersManager.getTokenAuth is expecting a MD5-hashed password (32 chars long string). Please call the md5() function on the password before calling this method.", "ExceptionRemoveSuperUserAccessOnlySuperUser": "Removing the Super User access from user '%s' is not possible.", diff --git a/plugins/UsersManager/tests/Integration/APITest.php b/plugins/UsersManager/tests/Integration/APITest.php index 4c4bae1882..83f4b2be36 100644 --- a/plugins/UsersManager/tests/Integration/APITest.php +++ b/plugins/UsersManager/tests/Integration/APITest.php @@ -317,6 +317,15 @@ class APITest extends IntegrationTestCase $this->assertSame($userBefore['ts_password_modified'], $user['ts_password_modified']); } + /** + * @expectedException \Exception + * @expectedExceptionMessage UsersManager_ExceptionInvalidPasswordTooLong + */ + public function test_updateUser_failsIfPasswordTooLong() + { + $this->api->updateUser($this->login, str_pad('foo', UsersManager::PASSWORD_MAX_LENGTH + 1), 'email@example.com', 'newAlias'); + } + public function test_getSitesAccessFromUser_forSuperUser() { $user2 = 'userLogin2'; |