Project

General

Profile

Actions

Task #100295

closed

Epic #97387: Configurable Password Policies

Prevent setting empty password in backend password recovery

Added by Torben Hansen over 1 year ago. Updated 10 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
Start date:
2023-03-24
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

If for any reason no password policy is defined in $GLOBALS['TYPO3_CONF_VARS']['BE']['passwordPolicy'], it is possible for a user to submit an empty password, if the required attribute of the new password fields in the password reset form is manually removed. TYPO3 will then save an empty password for the user.

Although it is not possible to login to TYPO3 with an empty password, a fallback check for an empty password must be added to resetPassword in TYPO3\CMS\Backend\Authentication\PasswordReset.

Actions #1

Updated by Torben Hansen over 1 year ago

  • Description updated (diff)
Actions #2

Updated by Gerrit Code Review over 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78324

Actions #3

Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78324

Actions #4

Updated by Torben Hansen over 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #5

Updated by Benni Mack 10 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF