Last modified: 2010-05-15 15:37:19 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T6081, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 4081 - Autocreation of accounts allows short passwords
Autocreation of accounts allows short passwords
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
All All
: Normal major (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
Blocks: 9816
  Show dependency treegraph
Reported: 2005-11-25 21:28 UTC by Ryan Lane
Modified: 2010-05-15 15:37 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Ryan Lane 2005-11-25 21:28:36 UTC
In function processLogin in SpecialUserlogin.php, we create accounts
automatically if the external plugin allows it, but we do not check to see if
the password given is valid or not.

This allows users to create accounts with passwords that are shorter than
$wgMinimalPasswordLength. After the user creates the account, the user cannot
log in.

Also, in function addNewAccountInternal, we do not declare the global
$wgMinimalPasswordLength before use.

Below is a patch to fix these two problems.

--- SpecialUserlogin.php.old    2005-11-25 14:49:28.690823592 -0600
+++ SpecialUserlogin.php        2005-11-25 14:57:37.073578128 -0600
@@ -161,11 +161,11 @@
        function addNewAccountInternal() {
                global $wgUser, $wgOut;
                global $wgUseLatin1, $wgEnableSorbs, $wgProxyWhitelist;
                global $wgMemc, $wgAccountCreationThrottle, $wgDBname, $wgIP;
-               global $wgAuth;
+               global $wgAuth, $wgMinimalPasswordLength;
                // If the user passes an invalid domain, something is fishy
                if( !$wgAuth->validDomain( $this->mDomain ) ) {
                        $this->mainLoginForm( wfMsg( 'wrongpassword' ) );
                        return false;
@@ -288,17 +288,21 @@
                if( is_null( $u ) ) {
                        $this->mainLoginForm( wfMsg( 'noname' ) );
                if ( 0 == $u->getID() ) {
-                       global $wgAuth;
+                       global $wgAuth, $wgMinimalPasswordLength;
                         * If the external authentication plugin allows it,
                         * automatically create a new account for users that
                         * are externally defined but have not yet logged in.
                        if ( $wgAuth->autoCreate() && $wgAuth->userExists( $u->g
                   etName() ) ) {
+                               if ( !$wgUser->isValidPassword( $this->mPassword
                    ) ) {
+                                       $this->mainLoginForm( wfMsg( 'passwordto
                   oshort', $wgMinimalPasswordLength ) );
+                                       return;
+                               }
                                if ( $wgAuth->authenticate( $u->getName(), $this
                   ->mPassword ) ) {
                                        $u =& $this->initUser( $u );
                                } else {
                                        $this->mainLoginForm( wfMsg( 'wrongpassw
                   ord' ) );
Comment 1 Ryan Lane 2005-12-05 14:44:50 UTC
I guess since this is a security problem, allowing people to create accounts who
shouldn't, that I should change this to major.
Comment 2 Brion Vibber 2005-12-05 21:15:01 UTC
Is the bug that authentication plugins may try to slip illegal things into the system?
Comment 3 Ryan Lane 2005-12-06 00:10:08 UTC
Yes. Specifically accounts with passwords that are too short.
Comment 4 Aaron Schulz 2008-05-16 20:34:09 UTC
If login and creation is partly deferred to an auth system, then that system should actually check these things.
Comment 5 Ryan Lane 2008-05-19 13:34:33 UTC
*Both* should check it. Depending on how you are saving passwords it may be impossible for the backend authentication system to check the password. For instance, it is completely valid to save hashes in the LDAP server as SSHA, SHA, MD5, CRYPT, SCRYPT, etc. If all the backend server is getting is a hash, how could it possibly check the length of the password?

Also, if we are enforcing password limits, we need to do so consistently.
Comment 6 Aaron Schulz 2008-05-19 13:44:00 UTC
Actually, I didn't notice this was 1.5...I don't even think that is supported anymore. Anyway, this is checked on 1.11/1.12, and the password is sent to $wgAuth.
Comment 7 Ryan Lane 2008-05-19 13:48:07 UTC
Ah. Looks like it is indeed fixed. I guess I should have checked SVN before reopening this.

Note You need to log in before you can comment on or make changes to this bug.