tdsds.com/gitea
1
1
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2025-08-13 13:08:19 +00:00
Code Releases Activity

Ensure complexity, minlength and ispwned are checked on password setting (#18005) (#18015)

Browse Source 
Backport #18005

It appears that there are several places that password length, complexity and ispwned
are not currently been checked when changing passwords. This PR adds these.

Fix #17977

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath
2021-12-17 21:24:59 +00:00
committed by GitHub
parent 3ae4c4898b
commit 2051f850ef
3 changed files with 25 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
routers/web/user/auth.go
View File

@@ -1748,8 +1748,23 @@ func MustChangePasswordPost(ctx *context.Context) {
ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form)
return
}
if !password.IsComplexEnough(form.Password) {
ctx.Data["Err_Password"] = true
ctx.RenderWithErr(password.BuildComplexityError(ctx), tplMustChangePassword, &form)
return
}
pwned, err := password.IsPwned(ctx, form.Password)
if pwned {
ctx.Data["Err_Password"] = true
errMsg := ctx.Tr("auth.password_pwned")
if err != nil {
log.Error(err.Error())
errMsg = ctx.Tr("auth.password_pwned_err")
}
ctx.RenderWithErr(errMsg, tplMustChangePassword, &form)
return
}
var err error
if err = u.SetPassword(form.Password); err != nil {
ctx.ServerError("UpdateUser", err)
return