Last modified: 2010-05-15 15:42:52 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 10250 - No error message given when password is rejected for being empty
No error message given when password is rejected for being empty
Product: MediaWiki
Classification: Unclassified
User preferences (Other open bugs)
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch
Depends on:
  Show dependency treegraph
Reported: 2007-06-14 01:11 UTC by Sheldon Rampton
Modified: 2010-05-15 15:42 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

DefaultSettings + SpecialPreferences (1.03 KB, patch)
2008-03-16 17:52 UTC, Nicolas Dumazet

Description Sheldon Rampton 2007-06-14 01:11:44 UTC
While doing some hacking on the system for allowing users to change their passwords, I noticed that the default value for $wgMinimalPasswordLength seems to be zero.

$wgMinimalPasswordLength is used in function savePreferences() in SpecialPreferences.php. When someone tries to change their password using Special:Preferences, it compares the new password length against $wgMinimalPasswordLength and returns an error message if the new password is shorter.

A value of 0 for $wgMinimalPasswordLength would therefore seem to mean that users can set their password to the empty string if they wish. As an experiment, I tried changing my password to an empty string. When I hit submit, Special:Preferences responded, "Your preferences have been saved." In fact, however, my password remained unchanged.

I'm not sure how this should be changed. I would recommend having a default value greater than zero for $wgMinimalPasswordLength for MediaWiki upon installation. There may be cases where some MediaWiki sites want to allow empty strings as user passwords, but this should not be the default.

In any case, the message from Special:Preferences is currently confusing. It SEEMED to say that it had allowed me to change my password to an empty string, but it did not in fact allow this. The software should either allow empty strings as user passwords (in which case the current response of "Your preferences have been saved" is fine), or it should respond with a more accurate message such as "You cannot change your user password to an empty string."
Comment 1 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-06-14 03:38:19 UTC
This may have been fixed in the past seven or eight months, after 1.8 was released.  Please confirm if you know it also occurs on the latest version, running on Wikipedia.
Comment 2 Sheldon Rampton 2007-06-14 03:45:03 UTC
I just tried this on Wikipedia and got the same result, so it appears that it has not been fixed.
Comment 3 Dan Collins 2007-08-30 19:32:11 UTC
This error does still occur in current trunk, removed 'testme'
Comment 4 Nicolas Dumazet 2008-03-16 17:52:55 UTC
Created attachment 4727 [details]
DefaultSettings + SpecialPreferences

With an empty new password, the form was considering that the user did not want to change its password. It now also tests if the user has submitted its old password.

I also changed the default minimal password length to 1, since a password length >= 0 makes no sense. (And I just tried successfully changing a password to '' on a test wiki : Unable to log in ! )
Comment 5 Aaron Schulz 2008-10-06 23:57:24 UTC
The submission/UI issues fixed in r41787

Note You need to log in before you can comment on or make changes to this bug.