Fix for https://bugs.cacert.org/view.php?id=637

(password suggestion always the same).
13 years ago · f0c474f5d6
parent 090a92ceec
commit f0c474f5d6
5 changed files with 27 additions and 8 deletions
--- a/includes/general.php
+++ b/includes/general.php
@ -248,8 +248,7 @@
 		}
 	}

-	function checkpw($pwd, $email, $fname, $mname, $lname, $suffix)
-	{
+	function checkpwlight($pwd) {
 		$points = 0;

 		if(strlen($pwd) > 15)
@ -279,7 +278,19 @@
 			$points++;

 		//echo "Points due to length and charset: $points<br/>";
+		
+		// check for historical password proposal
+		if ($pwd === "Fr3d Sm|7h") {
+			return 0;
+		}
+		
+		return $points;
+	}

+	function checkpw($pwd, $email, $fname, $mname, $lname, $suffix)
+	{
+		$points = checkpwlight($pwd);
+		
 		if(@strstr(strtolower($pwd), strtolower($email)))
 			$points--;

--- a/pages/account/14.php
+++ b/pages/account/14.php
@ -15,6 +15,16 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */ ?>
+<?
+	if (intval($_REQUEST['force']) === 1)
+{
+?>
+
+<p style="border:dotted 1px #900;padding:0.3em;bold;color:#ffffff;background-color:#ff0000;"><strong><center>
+<?=_("For your own security you should change your pass phrase immediately!"); ?></center></strong>
+</p>
+<?}?>
+
 <form method="post" action="account.php">
 <table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper" width="400">
  <tr>
--- a/pages/index/1.php
+++ b/pages/index/1.php
@ -18,9 +18,7 @@
 <p><?=_("By joining CAcert and becoming a Member, you agree to the CAcert Community Agreement. Please take a moment now to read that and agree to it; this will be required to complete the process of joining.")?></p>
 <p><?=_("Warning! This site requires cookies to be enabled to ensure your privacy and security. This site uses session cookies to store temporary values to prevent people from copying and pasting the session ID to someone else exposing their account, personal details and identity theft as a result.")?></p>
 <p style="border:dotted 1px #900;padding:0.3em;background-color:#ffe;">
-<b><?=_("In light of the number of people having issues with making up a password we have the following suggestions:")?></b><br><br>
-<?=_("To get a password that will work, we suggest the following example")?>: Fr3d Sm|7h<br><br>
-<?=_("This wouldn't match your name or email at all, it contains at least 1 lower case letter, 1 upper case letter, a number, white space and a misc symbol. You get additional security for being over 15 characters and a second additional point for having it over 30. The system starts reducing security if you include any section of your name, or password or email address or if it matches a word from the english dictionary...")?><br><br>
+<?=_("A proper password wouldn't match your name or email at all, it contains at least 1 lower case letter, 1 upper case letter, a number, white space and a misc symbol. You get additional security for being over 15 characters and a second additional point for having it over 30. The system starts reducing security if you include any section of your name, or password or email address or if it matches a word from the english dictionary...")?><br><br>
 <b><?=_("Note: White spaces at the beginning and end of a password will be removed.")?></b>
 </p>

--- a/pages/index/6.php
+++ b/pages/index/6.php
@ -16,9 +16,7 @@
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */ ?>
 <p style="border:dotted 1px #900;padding:0.3em;background-color:#ffe;">
-<b><?=_("In light of the number of people having issues with making up a password we have the following suggestions:")?></b><br><br>
-<?=_("To get a password that will work, we suggest the following example")?>: Fr3d Sm|7h<br><br>
-<?=_("This wouldn't match your name or email at all, it contains at least 1 lower case letter, 1 upper case letter, a number, white space and a misc symbol. You get additional security for being over 15 characters and a second additional point for having it over 30. The system starts reducing security if you include any section of your name, or password or email address or if it matches a word from the english dictionary...")?>
+<?=_("A proper password wouldn't match your name or email at all, it contains at least 1 lower case letter, 1 upper case letter, a number, white space and a misc symbol. You get additional security for being over 15 characters and a second additional point for having it over 30. The system starts reducing security if you include any section of your name, or password or email address or if it matches a word from the english dictionary...")?>
 </p>

 <form method="post" action="index.php" autocomplete="off">
--- a/www/index.php
+++ b/www/index.php
@ -332,6 +332,8 @@
 				$_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
 				$_SESSION['_config']['oldlocation'] = "account.php?id=13";
 			}
+			if (checkpwlight($pword) < 3)
+				$_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
 			if($_SESSION['_config']['oldlocation'] != "")
 				header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
 			else