From 0274597cec0785534564732f89b43a92078eb7f3 Mon Sep 17 00:00:00 2001
From: Giam Teck Choon <giamteckchoon@gmail.com>
Date: Sat, 22 Oct 2016 17:27:33 +0800
Subject: [PATCH 2/4] Add secure passwords feature

Signed-off-by: Giam Teck Choon <giamteckchoon@gmail.com>
---
 inc/util.php      | 30 ++++++++++++++++++++++++++++++
 languages/en.lang |  1 +
 perform.php       | 12 ++++++++++++
 3 files changed, 43 insertions(+)

diff --git a/inc/util.php b/inc/util.php
index e68eb4c..2b576cc 100644
--- a/inc/util.php
+++ b/inc/util.php
@@ -245,4 +245,34 @@ function rc4_decrypt($key, $message) {
   return $message;
 }
 
+/* Added by Giam Teck Choon */
+function is_password_secure($password) {
+  if(
+     strlen($password) >= 6 // at least 6 chars
+     && strlen($password) <= 32 // at most 32 chars
+     && preg_match('`[A-Z]`', $password) // at least one upper case
+     && preg_match('`[a-z]`', $password) // at least one lower case
+     && preg_match('`[0-9]`', $password) // at least one digit
+  ) {
+    // valid
+    return true;
+  } else {
+    // not valid
+    return false;
+  }
+}
+
+function is_username_password_identical($username, $password) {
+  $myvuser = explode("@", strtolower(trim($username)));
+  if (is_array($myvuser)) {
+    if (trim($myvuser[0]) == strtolower($password))
+      return true;
+  }
+  else if (strtolower(trim($username)) == strtolower($password))
+    return true;
+  else
+    return false;
+}
+/* /Added by Giam Teck Choon */
+
 ?>
diff --git a/languages/en.lang b/languages/en.lang
index f03dde8..042409d 100644
--- a/languages/en.lang
+++ b/languages/en.lang
@@ -217,3 +217,4 @@ login_failed      = Login failed
 no_username       = Please enter an username
 no_password       = Please enter a password
 password_mismatch = Passwords do not match
+password_insecure = Password must have one or more of a-z, A-Z and 0-9 with at least 6 characters
diff --git a/perform.php b/perform.php
index 26158ea..64e8b7b 100644
--- a/perform.php
+++ b/perform.php
@@ -163,6 +163,8 @@ switch($action) {
       raise_error($language['error']['no_username']);
     else if(trim($_POST['form']['password']) == '')
       raise_error($language['error']['no_password']);
+    else if($_POST['form']['password'] != '' && $_POST['form']['password_repeat'] == $_POST['form']['password'] && is_password_secure($_POST['form']['password']) == false)
+      raise_error($language['error']['password_insecure']);
     else if($_POST['form']['password'] != $_POST['form']['password_repeat'])
       raise_error($language['error']['password_mismatch']);
     else if(!($vm->add_account($_POST['form']['username'], $_POST['form']['password'])
@@ -194,6 +196,8 @@ switch($action) {
       raise_error($language['error']['no_username']);
     else if($_POST['form']['password'] != $_POST['form']['password_repeat'])
       raise_error($language['error']['password_mismatch']);
+    else if($_POST['form']['password'] != '' && $_POST['form']['password_repeat'] == $_POST['form']['password'] && is_password_secure($_POST['form']['password']) == false)
+      raise_error($language['error']['password_insecure']);
     else if(!($vm->add_alias($_POST['form']['username'],   $_POST['form']['password'])
       && $vm->set_personal($_POST['form']['username'],     $_POST['form']['personal'])
       && $vm->set_expiry($_POST['form']['username'],       $_POST['form']['expiry'])
@@ -216,6 +220,8 @@ switch($action) {
       if($_POST['form']['password'] != $_POST['form']['password_repeat']) {
         raise_error($language['error']['password_mismatch']);
       }
+      else if(is_password_secure($_POST['form']['password']) == false)
+        raise_error($language['error']['password_insecure']);
       else if(!$vm->set_password($_POST['form']['username'], $_POST['form']['password'])) {
         raise_error($vm->last_response());
       }
@@ -237,6 +243,8 @@ switch($action) {
       if($_POST['form']['password'] != $_POST['form']['password_repeat']) {
         raise_error($language['error']['password_mismatch']);
       }
+      else if(is_password_secure($_POST['form']['password']) == false)
+        raise_error($language['error']['password_insecure']);
       else if(!$vm->set_password($_POST['form']['username'], $_POST['form']['password'])) {
         raise_error($vm->last_response());
       }
@@ -276,6 +284,8 @@ switch($action) {
       if($_POST['form']['password'] != $_POST['form']['password_repeat']) {
         raise_error($language['error']['password_mismatch']);
       }
+      else if(is_password_secure($_POST['form']['password']) == false)
+        raise_error($language['error']['password_insecure']);
       else {
       
         if($vm->set_password($_SESSION['user'], $_POST['form']['password'])) {
@@ -311,6 +321,8 @@ switch($action) {
       if($_POST['form']['password'] != $_POST['form']['password_repeat']) {
         raise_error($language['error']['password_mismatch']);
       }
+      else if(is_password_secure($_POST['form']['password']) == false)
+        raise_error($language['error']['password_insecure']);
       else {
       
         if($vm->set_password($_SESSION['user'], $_POST['form']['password'])) {
-- 
1.8.3.1