google-code-export / cpassman

Automatically exported from code.google.com/p/cpassman
0 stars 0 forks source link

String length validation required on "used password" and "confirm" fields #241

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Create/edit a new password item
2. Enter in "Used password" (and confirm) fields a password of length greater 
than 149
3. Save it.
4. Go and view the created/edited password

What is the expected output? What do you see instead?
Expected: password item loaded and can use buttons on right hand side
Actual result: password item loads but cannot use buttons on right hand side 
and cannot view password

What version of the product are you using?
cpassman-2.0 RC1  and also Teampass-2.1.2

On what operating system? With what Browser (IEx, FFx, ...)
Windows XP, Vista, 7 with IE8, FF, Chrome and Ubuntu with FF,Chrome

Please provide any additional information below.
I noticed that the limit for Password field in database is 150 chars, and there 
is no length validation on the "Used password" and "Confirm" html text fields.
So if someone copies/paste in an 2048-bit RSA key this would exceed the limit 
of the database field after encryption. I recommend using ajax to validate as 
they type, maybe add it in with "complexity" js module.

Can I just delete these (just 3) affected records straight from the database 
table cpassman_items ?? Or are there records in other tables that need to be 
considered before removing the records?

Thanks

Original issue reported on code.google.com by kwok-yao...@fivium.co.uk on 13 Jan 2012 at 5:02

GoogleCodeExporter commented 9 years ago
Good remark ... I'll improve that.

I put a size of 150 thinking that no one will put a password with 150 
characters, but you did it :-D.

Please use "Delete" button for deleting your item.

Original comment by nils.cpa...@gmail.com on 16 Jan 2012 at 7:30

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
You must also take into account that after the password gets encrypted the 
length of the resulting text may be more than the actual password itself.
E.G. a password of "abc" + encryption = "dmj5dh8)n0\"
So you can imagine that if a password with length of 150 chars could end up 
being 250 chars after encryption.

The "Delete" button on the right hand side do not work after the password item 
is loaded.

Original comment by kwok-yao...@fivium.co.uk on 17 Jan 2012 at 9:39

GoogleCodeExporter commented 9 years ago
I've improved this ... but I've put a limit to 40 characters for a password due 
to the encryption. More characters makes the encrypted sentence too long.

THis is corrected in next 2.1.4 release.

Original comment by nils.cpa...@gmail.com on 24 Jan 2012 at 8:46