Last modified: 2010-05-15 15:37:19 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 4081 - Autocreation of accounts allows short passwords
Autocreation of accounts allows short passwords
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.5.x
All All
: Normal major (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 9816
  Show dependency treegraph
 
Reported: 2005-11-25 21:28 UTC by Ryan Lane
Modified: 2010-05-15 15:37 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Ryan Lane 2005-11-25 21:28:36 UTC
In function processLogin in SpecialUserlogin.php, we create accounts
automatically if the external plugin allows it, but we do not check to see if
the password given is valid or not.

This allows users to create accounts with passwords that are shorter than
$wgMinimalPasswordLength. After the user creates the account, the user cannot
log in.

Also, in function addNewAccountInternal, we do not declare the global
$wgMinimalPasswordLength before use.

Below is a patch to fix these two problems.

--- SpecialUserlogin.php.old    2005-11-25 14:49:28.690823592 -0600
+++ SpecialUserlogin.php        2005-11-25 14:57:37.073578128 -0600
@@ -161,11 +161,11 @@
         */
        function addNewAccountInternal() {
                global $wgUser, $wgOut;
                global $wgUseLatin1, $wgEnableSorbs, $wgProxyWhitelist;
                global $wgMemc, $wgAccountCreationThrottle, $wgDBname, $wgIP;
-               global $wgAuth;
+               global $wgAuth, $wgMinimalPasswordLength;
 
                // If the user passes an invalid domain, something is fishy
                if( !$wgAuth->validDomain( $this->mDomain ) ) {
                        $this->mainLoginForm( wfMsg( 'wrongpassword' ) );
                        return false;
@@ -288,17 +288,21 @@
                if( is_null( $u ) ) {
                        $this->mainLoginForm( wfMsg( 'noname' ) );
                        return;
                }
                if ( 0 == $u->getID() ) {
-                       global $wgAuth;
+                       global $wgAuth, $wgMinimalPasswordLength;
                        /**
                         * If the external authentication plugin allows it,
                         * automatically create a new account for users that
                         * are externally defined but have not yet logged in.
                         */
                        if ( $wgAuth->autoCreate() && $wgAuth->userExists( $u->g
                   etName() ) ) {
+                               if ( !$wgUser->isValidPassword( $this->mPassword
                    ) ) {
+                                       $this->mainLoginForm( wfMsg( 'passwordto
                   oshort', $wgMinimalPasswordLength ) );
+                                       return;
+                               }
                                if ( $wgAuth->authenticate( $u->getName(), $this
                   ->mPassword ) ) {
                                        $u =& $this->initUser( $u );
                                } else {
                                        $this->mainLoginForm( wfMsg( 'wrongpassw
                   ord' ) );
                                        return;
Comment 1 Ryan Lane 2005-12-05 14:44:50 UTC
I guess since this is a security problem, allowing people to create accounts who
shouldn't, that I should change this to major.
Comment 2 Brion Vibber 2005-12-05 21:15:01 UTC
Is the bug that authentication plugins may try to slip illegal things into the system?
Comment 3 Ryan Lane 2005-12-06 00:10:08 UTC
Yes. Specifically accounts with passwords that are too short.
Comment 4 Aaron Schulz 2008-05-16 20:34:09 UTC
If login and creation is partly deferred to an auth system, then that system should actually check these things.
Comment 5 Ryan Lane 2008-05-19 13:34:33 UTC
*Both* should check it. Depending on how you are saving passwords it may be impossible for the backend authentication system to check the password. For instance, it is completely valid to save hashes in the LDAP server as SSHA, SHA, MD5, CRYPT, SCRYPT, etc. If all the backend server is getting is a hash, how could it possibly check the length of the password?

Also, if we are enforcing password limits, we need to do so consistently.
Comment 6 Aaron Schulz 2008-05-19 13:44:00 UTC
Actually, I didn't notice this was 1.5...I don't even think that is supported anymore. Anyway, this is checked on 1.11/1.12, and the password is sent to $wgAuth.
Comment 7 Ryan Lane 2008-05-19 13:48:07 UTC
Ah. Looks like it is indeed fixed. I guess I should have checked SVN before reopening this.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links