Browse code

* Passwörter mit cracklib prüfen * Nach Passwort-neu-setzen ist man eingeloggt

git-svn-id: https://svn.schokokeks.org/repos/tools/webinterface/trunk@533 87cf0b9e-d624-0410-a070-f6ee81989793

bernd authored on04/07/2007 12:54:53
Showing6 changed files
1 1
new file mode 100644
2 2
Binary files /dev/null and b/inc/cracklib_dict.hwm differ
3 3
new file mode 100644
4 4
Binary files /dev/null and b/inc/cracklib_dict.pwd differ
5 5
new file mode 100644
6 6
Binary files /dev/null and b/inc/cracklib_dict.pwi differ
... ...
@@ -1,6 +1,34 @@
1 1
 <?php
2 2
 
3 3
 
4
+function strong_password($password)
5
+{
6
+  include("config.php");
7
+  DEBUG("Öffne Wörterbuch: {$config['cracklib_dict']}");
8
+  if (! ($dict = crack_opendict($config['cracklib_dict'])))
9
+  {
10
+    logger("inc/security.php", "cracklib", "could not open cracklib-dictionary »{$config['cracklib_dict']}«");
11
+    system_failure("Kann Crack-Lib-Wörterbuch nicht öffnen: {$config['cracklib_dict']}");
12
+  }
13
+  // Führe eine Überprüfung des Passworts durch
14
+  $check = crack_check($dict, $password);
15
+
16
+  $message = crack_getlastmessage();
17
+  crack_closedict($dict);
18
+
19
+  if ($check === True)
20
+  {
21
+    DEBUG("Passwort ok");
22
+    return true;
23
+  }
24
+  else
25
+  {
26
+    DEBUG("Passwort nicht ok: {$message}");
27
+    return $message;
28
+  }
29
+}
30
+
31
+
4 32
 function filter_input_general( $input )
5 33
 {
6 34
         return htmlspecialchars(iconv('UTF-8', 'UTF-8', $input), ENT_QUOTES, 'UTF-8');
... ...
@@ -1,5 +1,6 @@
1 1
 <?php
2 2
 require_once('inc/debug.php');
3
+require_once('inc/security.php');
3 4
 
4 5
 $title = "Passwort &auml;ndern";
5 6
 $error = '';
... ...
@@ -28,11 +29,13 @@ if ($_POST['password1'] != '')
28 29
     input_error('Sie m&uuml;ssen das neue Passwort zweimal eingeben!');
29 30
   elseif ($_POST['old_password'] == '')
30 31
     input_error('Altes Passwort nicht angegeben!');
32
+  elseif (($check = strong_password($_POST['password1'])) !== true)
33
+    input_error("Das Passwort ist zu einfach (cracklib sagt: {$check})!");
31 34
   else
32 35
   {
33
-    if ($result == ROLE_SYSTEMUSER)
36
+    if ($result === ROLE_SYSTEMUSER)
34 37
       set_systemuser_password($_SESSION['userinfo']['uid'], $_POST['password1']);
35
-    elseif ($result == ROLE_CUSTOMER)
38
+    elseif ($result === ROLE_CUSTOMER)
36 39
       set_customer_password($_SESSION['customerinfo']['customerno'], $_POST['password1']);
37 40
     else
38 41
       system_failure("WTF?!");
... ...
@@ -9,6 +9,7 @@ if (isset($_REQUEST['customerno']) and isset($_REQUEST['token']))
9 9
   $token = $_REQUEST['token'];
10 10
   
11 11
   require_once('newpass.php');
12
+  require_once('inc/security.php');
12 13
   if (validate_token($customerno, $token))
13 14
   {
14 15
     $show = 'password';
... ...
@@ -18,6 +19,8 @@ if (isset($_REQUEST['customerno']) and isset($_REQUEST['token']))
18 19
         input_error("Die beiden Passwort-Eingaben stimmen nicht überein.");
19 20
       elseif ($_POST['password'] == '')
20 21
         input_error("Es kann kein leeres Passwort gesetzt werden");
22
+      elseif (($result = strong_password($_POST['password'])) !== true)
23
+        input_error("Das Passwort ist zu einfach (cracklib sagt: {$result})!");
21 24
       else
22 25
       {
23 26
         require_once('session/checkuser.php');