Last modified: 2010-05-15 15:42:52 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T12250, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 10250 - No error message given when password is rejected for being empty
No error message given when password is rejected for being empty
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
User preferences (Other open bugs)
1.8.x
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-14 01:11 UTC by Sheldon Rampton
Modified: 2010-05-15 15:42 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
DefaultSettings + SpecialPreferences (1.03 KB, patch)
2008-03-16 17:52 UTC, Nicolas Dumazet
Details

Description Sheldon Rampton 2007-06-14 01:11:44 UTC
While doing some hacking on the system for allowing users to change their passwords, I noticed that the default value for $wgMinimalPasswordLength seems to be zero.

$wgMinimalPasswordLength is used in function savePreferences() in SpecialPreferences.php. When someone tries to change their password using Special:Preferences, it compares the new password length against $wgMinimalPasswordLength and returns an error message if the new password is shorter.

A value of 0 for $wgMinimalPasswordLength would therefore seem to mean that users can set their password to the empty string if they wish. As an experiment, I tried changing my password to an empty string. When I hit submit, Special:Preferences responded, "Your preferences have been saved." In fact, however, my password remained unchanged.

I'm not sure how this should be changed. I would recommend having a default value greater than zero for $wgMinimalPasswordLength for MediaWiki upon installation. There may be cases where some MediaWiki sites want to allow empty strings as user passwords, but this should not be the default.

In any case, the message from Special:Preferences is currently confusing. It SEEMED to say that it had allowed me to change my password to an empty string, but it did not in fact allow this. The software should either allow empty strings as user passwords (in which case the current response of "Your preferences have been saved" is fine), or it should respond with a more accurate message such as "You cannot change your user password to an empty string."
Comment 1 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-06-14 03:38:19 UTC
This may have been fixed in the past seven or eight months, after 1.8 was released.  Please confirm if you know it also occurs on the latest version, running on Wikipedia.
Comment 2 Sheldon Rampton 2007-06-14 03:45:03 UTC
I just tried this on Wikipedia and got the same result, so it appears that it has not been fixed.
Comment 3 Dan Collins 2007-08-30 19:32:11 UTC
This error does still occur in current trunk, removed 'testme'
Comment 4 Nicolas Dumazet 2008-03-16 17:52:55 UTC
Created attachment 4727 [details]
DefaultSettings + SpecialPreferences

With an empty new password, the form was considering that the user did not want to change its password. It now also tests if the user has submitted its old password.

I also changed the default minimal password length to 1, since a password length >= 0 makes no sense. (And I just tried successfully changing a password to '' on a test wiki : Unable to log in ! )
Comment 5 Aaron Schulz 2008-10-06 23:57:24 UTC
The submission/UI issues fixed in r41787

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links