Task #100295
closed
Epic #97387: Configurable Password Policies
Prevent setting empty password in backend password recovery
100%
Description
If for any reason no password policy is defined in $GLOBALS['TYPO3_CONF_VARS']['BE']['passwordPolicy'], it is possible for a user to submit an empty password, if the required attribute of the new password fields in the password reset form is manually removed. TYPO3 will then save an empty password for the user.
Although it is not possible to login to TYPO3 with an empty password, a fallback check for an empty password must be added to resetPassword in TYPO3\CMS\Backend\Authentication\PasswordReset.
Updated by Gerrit Code Review about 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78324
Updated by Gerrit Code Review about 1 year ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78324
Updated by Torben Hansen about 1 year ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 1ee7cda2a589d4a8e717fb7b9fd93d3a5f0a3acb.
Updated by