search

elkarte / Elkarte

ElkArte Forum. A free, open source, modern discussion forum / BB
https://elkarte.github.io/Elkarte/
BSD 3-Clause "New" or "Revised" License
175 stars 61 forks source link

Password longer than 64 characters is accepted on registration #3790

Open MorsMortium opened 3 months ago

MorsMortium commented 3 months ago

Describe the bug When making a new account, the criteria for the password is not written anywhere. When pasting a longer than 64 characters password into the field, it does not display that it's too long. The registration succeeds, but when trying to log in with it, it displays "The supplied password is too long."

ElkArte info

  1. Are you sure this is a core Elkarte problem and not caused by any addon you are using? Yes
  2. What ElkArte version are you using? ElkArte 1.1.9
  3. When did the issue start?
  4. What version of PHP are you running?
  5. MySQL or PostgreSQL and what version?

To Reproduce Steps to reproduce the behavior:

  1. Go to register page
  2. Fill out registration data, and paste a password longer than 64 character
  3. Click on Register
  4. Try to log in
  5. See "The supplied password is too long."

Expected behavior That the register page has some text that the password has to be at most 64 characters long, and when someone uses a longer password, it warns them again, instead of accepting it.

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here such as Webserver version, Database type & version, etc.

Spuds commented 3 months ago

Thank you for the report.

Looking at this there are two options.

1) Perform the length check and provide the feedback that the password is to long. This needs to be done during registration, and profile (when they change passwords). There would be both a JS check and then a server validation as well. Unfortunately there is not a one file fix here and a two language strings need to be introduced.

2) Accept the long password, as much as the form will allow in length and do a simple truncate at 64characters with no feedback. The system would simply use the first 64 characters for all the crypt functions. This would probably only affect a couple of files.

If you have a preference, let me know.

MorsMortium commented 3 months ago

The second option might be what is happening right now. At least the registration was accepted, but I didn't confirm that the password was just the truncated original, instead made a new one.

But I would prefer the first option, that is used everywhere else, and would make less of a surprise, than the first, when the registration is successful, but with a different password, than was originally supplied.

Spuds commented 3 months ago

Sounds good to me ... https://github.com/Spuds/Elkarte/commit/961b2eb5e4f674f1f0f51f47bbb683744c63f19c should take care of the issue during registration and password changes.