From 80b80debf336a932d7bcf5a17a461b2b43c5a4f4 Mon Sep 17 00:00:00 2001 From: Giam Teck Choon Date: Wed, 21 Aug 2013 02:29:49 +0800 Subject: [PATCH 2/2] Add secure password feature Signed-off-by: Giam Teck Choon --- inc/util.php | 30 ++++++++++++++++++++++++++++++ languages/en.lang | 1 + perform.php | 24 ++++++++++++++++++------ 3 files changed, 49 insertions(+), 6 deletions(-) diff --git a/inc/util.php b/inc/util.php index e68eb4c..277ec5c 100644 --- a/inc/util.php +++ b/inc/util.php @@ -245,4 +245,34 @@ function rc4_decrypt($key, $message) { return $message; } +/* Added by Giam Teck Choon */ +function is_password_secure($password) { + if( + strlen($password) >= 6 // at least 6 chars + && strlen($password) <= 32 // at most 32 chars + && preg_match('`[A-Z]`', $password) // at least one upper case + && preg_match('`[a-z]`', $password) // at least one lower case + && preg_match('`[0-9]`', $password) // at least one digit + ) { + // valid + return true; + } else { + // not valid + return false; + } +} + +function is_username_password_identical($username, $password) { + $myvuser = explode("@", strtolower(trim($username))); + if (is_array($myvuser)) { + if (trim($myvuser[0]) == strtolower($password)) + return true; + } + else if (strtolower(trim($username)) == strtolower($password)) + return true; + else + return false; +} +/* /Added by Giam Teck Choon */ + ?> diff --git a/languages/en.lang b/languages/en.lang index f03dde8..042409d 100644 --- a/languages/en.lang +++ b/languages/en.lang @@ -217,3 +217,4 @@ login_failed = Login failed no_username = Please enter an username no_password = Please enter a password password_mismatch = Passwords do not match +password_insecure = Password must have one or more of a-z, A-Z and 0-9 with at least 6 characters diff --git a/perform.php b/perform.php index 26158ea..e87190d 100644 --- a/perform.php +++ b/perform.php @@ -165,6 +165,8 @@ switch($action) { raise_error($language['error']['no_password']); else if($_POST['form']['password'] != $_POST['form']['password_repeat']) raise_error($language['error']['password_mismatch']); + else if($_POST['form']['password'] != '' && $_POST['form']['password_repeat'] == $_POST['form']['password'] && is_password_secure($_POST['form']['password']) == false) + raise_error($language['error']['password_insecure']); else if(!($vm->add_account($_POST['form']['username'], $_POST['form']['password']) && $vm->set_personal($_POST['form']['username'], $_POST['form']['personal']) && $vm->set_softquota($_POST['form']['username'], $_POST['form']['softquota']) @@ -194,6 +196,8 @@ switch($action) { raise_error($language['error']['no_username']); else if($_POST['form']['password'] != $_POST['form']['password_repeat']) raise_error($language['error']['password_mismatch']); + else if($_POST['form']['password'] != '' && $_POST['form']['password_repeat'] == $_POST['form']['password'] && is_password_secure($_POST['form']['password']) == false) + raise_error($language['error']['password_insecure']); else if(!($vm->add_alias($_POST['form']['username'], $_POST['form']['password']) && $vm->set_personal($_POST['form']['username'], $_POST['form']['personal']) && $vm->set_expiry($_POST['form']['username'], $_POST['form']['expiry']) @@ -216,6 +220,8 @@ switch($action) { if($_POST['form']['password'] != $_POST['form']['password_repeat']) { raise_error($language['error']['password_mismatch']); } + else if(is_password_secure($_POST['form']['password']) == false) + raise_error($language['error']['password_insecure']); else if(!$vm->set_password($_POST['form']['username'], $_POST['form']['password'])) { raise_error($vm->last_response()); } @@ -237,6 +243,8 @@ switch($action) { if($_POST['form']['password'] != $_POST['form']['password_repeat']) { raise_error($language['error']['password_mismatch']); } + else if(is_password_secure($_POST['form']['password']) == false) + raise_error($language['error']['password_insecure']); else if(!$vm->set_password($_POST['form']['username'], $_POST['form']['password'])) { raise_error($vm->last_response()); } @@ -276,8 +284,10 @@ switch($action) { if($_POST['form']['password'] != $_POST['form']['password_repeat']) { raise_error($language['error']['password_mismatch']); } + else if(is_password_secure($_POST['form']['password']) == false) + raise_error($language['error']['password_insecure']); else { - + if($vm->set_password($_SESSION['user'], $_POST['form']['password'])) { $vm->pass = $_POST['form']['password']; $_SESSION['password'] = rc4_encrypt($salt, $_POST['form']['password']); @@ -285,13 +295,13 @@ switch($action) { else { raise_error($vm->last_response()); } - + } } if(!($vm->set_forwards($_SESSION['user'], $_POST['form']['forwards']) )) { - + raise_error($vm->last_response()); } @@ -311,8 +321,10 @@ switch($action) { if($_POST['form']['password'] != $_POST['form']['password_repeat']) { raise_error($language['error']['password_mismatch']); } + else if(is_password_secure($_POST['form']['password']) == false) + raise_error($language['error']['password_insecure']); else { - + if($vm->set_password($_SESSION['user'], $_POST['form']['password'])) { $vm->pass = $_POST['form']['password']; $_SESSION['password'] = rc4_encrypt($salt, $_POST['form']['password']); @@ -320,7 +332,7 @@ switch($action) { else { raise_error($vm->last_response()); } - + } } @@ -328,7 +340,7 @@ switch($action) { && $vm->autoresponse_set($_SESSION['user'], 'Subject: ' . $_POST['form']['autoresponse_subject'] . "\nFrom: " . $_SESSION['user'] . "@" . $_SESSION['domain'] . "\n\n" . $_POST['form']['autoresponse_text']) && $vm->autoresponse_set_enabled($_SESSION['user'], $_POST['form']['autoresponse_enabled'] != '') )) { - + raise_error($vm->last_response()); } -- 1.8.3.4