From c8fb81710f20dd47a49cb1988568f8a4adc3b87a Mon Sep 17 00:00:00 2001 From: Laurent De Coninck Date: Fri, 4 Oct 2019 18:13:00 +0200 Subject: [PATCH 1/3] fix #12041 - Generate password Secure the generate password method "perso". Now the system checks the minimum possible value. If the value entered is lower then the system will never trigger the update. Since the update is done through GET parameters, I also added a check backend wise. This checks should never be triggered nor in error. [see: #12041] --- htdocs/admin/security.php | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/htdocs/admin/security.php b/htdocs/admin/security.php index df2d2b09ee6..a7707629cff 100644 --- a/htdocs/admin/security.php +++ b/htdocs/admin/security.php @@ -170,9 +170,23 @@ elseif ($action == 'disable_MAIN_SECURITY_DISABLEFORGETPASSLINK') if ($action == 'maj_pattern') { - dolibarr_set_const($db, "USER_PASSWORD_PATTERN", GETPOST("pattern"), 'chaine', 0, '', $conf->entity); - header("Location: security.php"); - exit; + $pattern = GETPOST("pattern"); + $explodePattern = explode(';',$pattern); + + $patternInError = false; + if($explodePattern[0] < 1 || $explodePattern[4] < 1){ + $patternInError = true; + } + + if($explodePattern[0] < $explodePattern[1] + $explodePattern[2] + $explodePattern[3]){ + $patternInError = true; + } + + if(!$patternInError){ + dolibarr_set_const($db, "USER_PASSWORD_PATTERN", $pattern, 'chaine', 0, '', $conf->entity); + header("Location: security.php"); + exit; + } } @@ -278,13 +292,6 @@ if ($conf->global->USER_PASSWORD_GENERATED == "Perso"){ $tabConf = explode(";", $conf->global->USER_PASSWORD_PATTERN); - /*$this->length2 = $tabConf[0]; - $this->NbMaj = $tabConf[1]; - $this->NbNum = $tabConf[2]; - $this->NbSpe = $tabConf[3]; - $this->NbRepeat = $tabConf[4]; - $this->WithoutAmbi = $tabConf[5]; - */ print '
'; print ''; print ''; @@ -318,7 +325,7 @@ if ($conf->global->USER_PASSWORD_GENERATED == "Perso"){ print ''; print '"; - print ''; + print ''; print ''; @@ -350,6 +357,13 @@ if ($conf->global->USER_PASSWORD_GENERATED == "Perso"){ print ' }'; print ' function valuePossible(){'; + print ' var fields = ["#minlenght", "#NbMajMin", "#NbNumMin", "#NbSpeMin", "#NbIteConsecutive"];'; + print ' for(var i = 0 ; i < fields.length ; i++){'; + print ' if($(fields[i]).val() < $(fields[i]).attr("min")){'; + print ' return false;'; + print ' }'; + print ' }'; + print ' '; print ' var length = parseInt($("#minlenght").val());'; print ' var length_mini = parseInt($("#NbMajMin").val()) + parseInt($("#NbNumMin").val()) + parseInt($("#NbSpeMin").val());'; print ' return length >= length_mini;'; From a509404636d68158c85b987489e87b124992f94c Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Fri, 4 Oct 2019 16:26:26 +0000 Subject: [PATCH 2/3] Fixing style errors. --- htdocs/admin/security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/admin/security.php b/htdocs/admin/security.php index a7707629cff..3a786f30a84 100644 --- a/htdocs/admin/security.php +++ b/htdocs/admin/security.php @@ -171,7 +171,7 @@ elseif ($action == 'disable_MAIN_SECURITY_DISABLEFORGETPASSLINK') if ($action == 'maj_pattern') { $pattern = GETPOST("pattern"); - $explodePattern = explode(';',$pattern); + $explodePattern = explode(';', $pattern); $patternInError = false; if($explodePattern[0] < 1 || $explodePattern[4] < 1){ From 91a922a454d7f806736dbd40952f1b862c6034a0 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 7 Oct 2019 12:54:28 +0200 Subject: [PATCH 3/3] Update security.php --- htdocs/admin/security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/admin/security.php b/htdocs/admin/security.php index 3a786f30a84..c4c8026e076 100644 --- a/htdocs/admin/security.php +++ b/htdocs/admin/security.php @@ -325,7 +325,7 @@ if ($conf->global->USER_PASSWORD_GENERATED == "Perso"){ print ''; print '"; - print ''; + print ''; print '';
' . $langs->trans("NbIteConsecutive")."
' . $langs->trans("NbIteConsecutive")."