* Passwörter mit cracklib prüfen * Nach Passwort-neu-setzen ist man eingeloggt
bernd commited on 2007-07-04 12:54:53
Zeige 6 geänderte Dateien mit 36 Einfügungen und 2 Löschungen.
git-svn-id: https://svn.schokokeks.org/repos/tools/webinterface/trunk@533 87cf0b9e-d624-0410-a070-f6ee81989793
- inc/cracklib_dict.hwm 0000000..06d7405
- inc/cracklib_dict.pwd 0000000..01d633b
- inc/cracklib_dict.pwi 0000000..fccadde
- inc/security.php 8e49d42..0a925d6
- modules/index/chpass.php bcc5e37..3788f03
- modules/index/validate_token.php 8afd645..14b9c84
| ... | ... |
@@ -1,6 +1,34 @@ |
| 1 | 1 |
<?php |
| 2 | 2 |
|
| 3 | 3 |
|
| 4 |
+function strong_password($password) |
|
| 5 |
+{
|
|
| 6 |
+ include("config.php");
|
|
| 7 |
+ DEBUG("Öffne Wörterbuch: {$config['cracklib_dict']}");
|
|
| 8 |
+ if (! ($dict = crack_opendict($config['cracklib_dict']))) |
|
| 9 |
+ {
|
|
| 10 |
+ logger("inc/security.php", "cracklib", "could not open cracklib-dictionary »{$config['cracklib_dict']}«");
|
|
| 11 |
+ system_failure("Kann Crack-Lib-Wörterbuch nicht öffnen: {$config['cracklib_dict']}");
|
|
| 12 |
+ } |
|
| 13 |
+ // Führe eine Überprüfung des Passworts durch |
|
| 14 |
+ $check = crack_check($dict, $password); |
|
| 15 |
+ |
|
| 16 |
+ $message = crack_getlastmessage(); |
|
| 17 |
+ crack_closedict($dict); |
|
| 18 |
+ |
|
| 19 |
+ if ($check === True) |
|
| 20 |
+ {
|
|
| 21 |
+ DEBUG("Passwort ok");
|
|
| 22 |
+ return true; |
|
| 23 |
+ } |
|
| 24 |
+ else |
|
| 25 |
+ {
|
|
| 26 |
+ DEBUG("Passwort nicht ok: {$message}");
|
|
| 27 |
+ return $message; |
|
| 28 |
+ } |
|
| 29 |
+} |
|
| 30 |
+ |
|
| 31 |
+ |
|
| 4 | 32 |
function filter_input_general( $input ) |
| 5 | 33 |
{
|
| 6 | 34 |
return htmlspecialchars(iconv('UTF-8', 'UTF-8', $input), ENT_QUOTES, 'UTF-8');
|
| ... | ... |
@@ -1,5 +1,6 @@ |
| 1 | 1 |
<?php |
| 2 | 2 |
require_once('inc/debug.php');
|
| 3 |
+require_once('inc/security.php');
|
|
| 3 | 4 |
|
| 4 | 5 |
$title = "Passwort ändern"; |
| 5 | 6 |
$error = ''; |
| ... | ... |
@@ -28,11 +29,13 @@ if ($_POST['password1'] != '') |
| 28 | 29 |
input_error('Sie müssen das neue Passwort zweimal eingeben!');
|
| 29 | 30 |
elseif ($_POST['old_password'] == '') |
| 30 | 31 |
input_error('Altes Passwort nicht angegeben!');
|
| 32 |
+ elseif (($check = strong_password($_POST['password1'])) !== true) |
|
| 33 |
+ input_error("Das Passwort ist zu einfach (cracklib sagt: {$check})!");
|
|
| 31 | 34 |
else |
| 32 | 35 |
{
|
| 33 |
- if ($result == ROLE_SYSTEMUSER) |
|
| 36 |
+ if ($result === ROLE_SYSTEMUSER) |
|
| 34 | 37 |
set_systemuser_password($_SESSION['userinfo']['uid'], $_POST['password1']); |
| 35 |
- elseif ($result == ROLE_CUSTOMER) |
|
| 38 |
+ elseif ($result === ROLE_CUSTOMER) |
|
| 36 | 39 |
set_customer_password($_SESSION['customerinfo']['customerno'], $_POST['password1']); |
| 37 | 40 |
else |
| 38 | 41 |
system_failure("WTF?!");
|
| ... | ... |
@@ -9,6 +9,7 @@ if (isset($_REQUEST['customerno']) and isset($_REQUEST['token'])) |
| 9 | 9 |
$token = $_REQUEST['token']; |
| 10 | 10 |
|
| 11 | 11 |
require_once('newpass.php');
|
| 12 |
+ require_once('inc/security.php');
|
|
| 12 | 13 |
if (validate_token($customerno, $token)) |
| 13 | 14 |
{
|
| 14 | 15 |
$show = 'password'; |
| ... | ... |
@@ -18,6 +19,8 @@ if (isset($_REQUEST['customerno']) and isset($_REQUEST['token'])) |
| 18 | 19 |
input_error("Die beiden Passwort-Eingaben stimmen nicht überein.");
|
| 19 | 20 |
elseif ($_POST['password'] == '') |
| 20 | 21 |
input_error("Es kann kein leeres Passwort gesetzt werden");
|
| 22 |
+ elseif (($result = strong_password($_POST['password'])) !== true) |
|
| 23 |
+ input_error("Das Passwort ist zu einfach (cracklib sagt: {$result})!");
|
|
| 21 | 24 |
else |
| 22 | 25 |
{
|
| 23 | 26 |
require_once('session/checkuser.php');
|
| 24 | 27 |