davrot/forgejo_backup
1
0
Fork 0
mirror of https://codeberg.org/davrot/forgejo.git synced 2025-05-18 08:00:01 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Ensure complexity, minlength and ispwned are checked on password setting (#18005)

Browse source 
It appears that there are several places that password length, complexity and ispwned
are not currently been checked when changing passwords. This PR adds these.

Fix #17977

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
zeripath 2021-12-17 02:03:39 +00:00 committed by GitHub
parent dab28c7049
commit d29b689f81
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
routers/api/v1/admin/user.go
View file

@ -20,6 +20,7 @@ import (
"code.gitea.io/gitea/modules/convert"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/password"
"code.gitea.io/gitea/modules/setting"
api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/web"
"code.gitea.io/gitea/routers/api/v1/user"
@ -173,6 +174,10 @@ func EditUser(ctx *context.APIContext) {
}
if len(form.Password) != 0 {
if len(form.Password) < setting.MinPasswordLength {
ctx.Error(http.StatusBadRequest, "PasswordTooShort", fmt.Errorf("password must be at least %d characters", setting.MinPasswordLength))
return
}
if !password.IsComplexEnough(form.Password) {
err := errors.New("PasswordComplexity")
ctx.Error(http.StatusBadRequest, "PasswordComplexity", err)