1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
<?php
/**
* Password policy checks
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* http://www.gnu.org/copyleft/gpl.html
*
* @file
*/
use \Cdb\Reader as CdbReader;
/**
* Functions to check passwords against a policy requirement
* @since 1.26
*/
class PasswordPolicyChecks {
/**
* Check password is longer than minimum, not fatal
* @param int $policyVal minimal length
* @param User $user
* @param string $password
* @return Status error if $password is shorter than $policyVal
*/
public static function checkMinimalPasswordLength( $policyVal, User $user, $password ) {
$status = Status::newGood();
if ( $policyVal > strlen( $password ) ) {
$status->error( 'passwordtooshort', $policyVal );
}
return $status;
}
/**
* Check password is longer than minimum, fatal
* @param int $policyVal minimal length
* @param User $user
* @param string $password
* @return Status fatal if $password is shorter than $policyVal
*/
public static function checkMinimumPasswordLengthToLogin( $policyVal, User $user, $password ) {
$status = Status::newGood();
if ( $policyVal > strlen( $password ) ) {
$status->fatal( 'passwordtooshort', $policyVal );
}
return $status;
}
/**
* Check password is shorter than maximum, fatal
* @param int $policyVal maximum length
* @param User $user
* @param string $password
* @return Status fatal if $password is shorter than $policyVal
*/
public static function checkMaximalPasswordLength( $policyVal, User $user, $password ) {
$status = Status::newGood();
if ( $policyVal < strlen( $password ) ) {
$status->fatal( 'passwordtoolong', $policyVal );
}
return $status;
}
/**
* Check if username and password match
* @param bool $policyVal true to force compliance.
* @param User $user
* @param string $password
* @return Status error if username and password match, and policy is true
*/
public static function checkPasswordCannotMatchUsername( $policyVal, User $user, $password ) {
global $wgContLang;
$status = Status::newGood();
$username = $user->getName();
if ( $policyVal && $wgContLang->lc( $password ) === $wgContLang->lc( $username ) ) {
$status->error( 'password-name-match' );
}
return $status;
}
/**
* Check if username and password are on a blacklist
* @param bool $policyVal true to force compliance.
* @param User $user
* @param string $password
* @return Status error if username and password match, and policy is true
*/
public static function checkPasswordCannotMatchBlacklist( $policyVal, User $user, $password ) {
static $blockedLogins = [
'Useruser' => 'Passpass', 'Useruser1' => 'Passpass1', # r75589
'Apitestsysop' => 'testpass', 'Apitestuser' => 'testpass' # r75605
];
$status = Status::newGood();
$username = $user->getName();
if ( $policyVal ) {
if ( isset( $blockedLogins[$username] ) && $password == $blockedLogins[$username] ) {
$status->error( 'password-login-forbidden' );
}
// Example from ApiChangeAuthenticationRequest
if ( $password === 'ExamplePassword' ) {
$status->error( 'password-login-forbidden' );
}
}
return $status;
}
/**
* Ensure that password isn't in top X most popular passwords
*
* @param int $policyVal Cut off to use. Will automatically shrink to the max
* supported for error messages if set to more than max number of passwords on file,
* so you can use the PHP_INT_MAX constant here safely.
* @param User $user
* @param string $password
* @since 1.27
* @return Status
*/
public static function checkPopularPasswordBlacklist( $policyVal, User $user, $password ) {
global $wgPopularPasswordFile, $wgSitename;
$status = Status::newGood();
if ( $policyVal > 0 ) {
$langEn = Language::factory( 'en' );
$passwordKey = $langEn->lc( trim( $password ) );
// People often use the name of the current site, which won't be
// in the common password file. Also check '' for people who use
// just whitespace.
$sitename = $langEn->lc( trim( $wgSitename ) );
$hardcodedCommonPasswords = [ '', 'wiki', 'mediawiki', $sitename ];
if ( in_array( $passwordKey, $hardcodedCommonPasswords ) ) {
$status->error( 'passwordtoopopular' );
return $status;
}
// This could throw an exception, but there's not a good way
// of failing gracefully, if say the file is missing, so just
// let the exception fall through.
// Format of cdb file is mapping password => popularity rank.
// See maintenance/createCommonPasswordCdb.php
$db = CdbReader::open( $wgPopularPasswordFile );
$res = $db->get( $passwordKey );
if ( $res && (int)$res <= $policyVal ) {
// Note: If you want to find the true number of common
// passwords stored (for reporting the error), you have to take
// the max of the policyVal and $db->get( '_TOTALENTRIES' ).
$status->error( 'passwordtoopopular' );
}
}
return $status;
}
}
|
