maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

fight stupidity - teach your customers not to use password == username

Browse Source 
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
2014-05-18 11:16:35 +02:00
parent 6e4ff4705b
commit 3c8bf348d1
4 changed files with 28 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
customer_email.php
View File

@@ -446,6 +446,9 @@ if ($page == 'overview') {
} }
elseif ($password == '' && !(Settings::Get('panel.sendalternativemail') == 1 && validateEmail($alternative_email))) { elseif ($password == '' && !(Settings::Get('panel.sendalternativemail') == 1 && validateEmail($alternative_email))) {
standard_error(array('stringisempty', 'mypassword')); standard_error(array('stringisempty', 'mypassword'));
}
elseif ($password == $email_full) {
standard_error('passwordshouldnotbeusername');
} else { } else {
if ($password == '') { if ($password == '') {
$password = substr(md5(uniqid(microtime(), 1)), 12, 6); $password = substr(md5(uniqid(microtime(), 1)), 12, 6);
@@ -632,6 +635,10 @@ if ($page == 'overview') {
standard_error(array('stringisempty', 'mypassword')); standard_error(array('stringisempty', 'mypassword'));
exit; exit;
} }
elseif ($password = $result['email_full']) {
standard_error('passwordshouldnotbeusername');
exit;
}
$password = validatePassword($password); $password = validatePassword($password);
@@ -887,5 +894,3 @@ if ($page == 'overview') {
} }
} }
} }
?>

6
customer_extras.php
View File

@@ -133,6 +133,8 @@ if ($page == 'overview') {
standard_error(array('stringisempty', 'mypassword')); standard_error(array('stringisempty', 'mypassword'));
} elseif ($path == '') { } elseif ($path == '') {
standard_error('patherror'); standard_error('patherror');
} elseif ($_POST['directory_password'] == $username) {
standard_error('passwordshouldnotbeusername');
} else { } else {
$stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_HTPASSWDS . "` SET $stmt = Database::prepare("INSERT INTO `" . TABLE_PANEL_HTPASSWDS . "` SET
`customerid` = :customerid, `customerid` = :customerid,
@@ -184,6 +186,10 @@ if ($page == 'overview') {
$password = crypt($_POST['directory_password']); $password = crypt($_POST['directory_password']);
} }
if ($_POST['directory_password'] == $result['username']) {
standard_error('passwordshouldnotbeusername');
}
$params = array( $params = array(
"customerid" => $userinfo['customerid'], "customerid" => $userinfo['customerid'],
"id" => $id "id" => $id

9
customer_mysql.php
View File

@@ -178,6 +178,11 @@ if ($page == 'overview') {
$userinfo['mysql_lastaccountnumber'] $userinfo['mysql_lastaccountnumber']
); );
// we've checked against the password in dbm->createDatabase
if ($username == false) {
standard_error('passwordshouldnotbeusername');
}
// Statement modified for Database description -- PH 2004-11-29 // Statement modified for Database description -- PH 2004-11-29
$stmt = Database::prepare('INSERT INTO `' . TABLE_PANEL_DATABASES . '` $stmt = Database::prepare('INSERT INTO `' . TABLE_PANEL_DATABASES . '`
(`customerid`, `databasename`, `description`, `dbserver`) (`customerid`, `databasename`, `description`, `dbserver`)
@@ -307,6 +312,10 @@ if ($page == 'overview') {
// validate password // validate password
$password = validatePassword($password); $password = validatePassword($password);
if ($password == $result['databasename']) {
standard_error('passwordshouldnotbeusername');
}
// Begin root-session // Begin root-session
Database::needRoot(true); Database::needRoot(true);
foreach (array_map('trim', explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) { foreach (array_map('trim', explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) {

7
lib/classes/database/class.DbManager.php
View File

@@ -64,7 +64,7 @@ class DbManager {
* @param string $password * @param string $password
* @param int $last_accnumber * @param int $last_accnumber
* *
* @return string $username * @return string|bool $username if successful or false of username is equal to the password
*/ */
public function createDatabase($loginname = null, $password = null, $last_accnumber = 0) { public function createDatabase($loginname = null, $password = null, $last_accnumber = 0) {
@@ -84,6 +84,11 @@ class DbManager {
$username = $loginname . Settings::Get('customer.mysqlprefix') . (intval($last_accnumber) + 1); $username = $loginname . Settings::Get('customer.mysqlprefix') . (intval($last_accnumber) + 1);
} }
// don't use a password that is the same as the username
if ($username == $password) {
return false;
}
// now create the database itself // now create the database itself
$this->getManager()->createDatabase($username); $this->getManager()->createDatabase($username);
$this->_log->logAction(USR_ACTION, LOG_INFO, "created database '" . $username . "'"); $this->_log->logAction(USR_ACTION, LOG_INFO, "created database '" . $username . "'");