Task #100295: Prevent setting empty password in backend password recovery - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Task #100295

closed

Epic #97387: Configurable Password Policies

Prevent setting empty password in backend password recovery

Added by Torben Hansen over 1 year ago. Updated 10 months ago.

Status:

Closed

Priority:

Should have

Assignee:

Torben Hansen

Category:

Target version:

12 LTS

Start date:

2023-03-24

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Sprint Focus:

Description

If for any reason no password policy is defined in $GLOBALS['TYPO3_CONF_VARS']['BE']['passwordPolicy'], it is possible for a user to submit an empty password, if the required attribute of the new password fields in the password reset form is manually removed. TYPO3 will then save an empty password for the user.

Although it is not possible to login to TYPO3 with an empty password, a fallback check for an empty password must be added to resetPassword in TYPO3\CMS\Backend\Authentication\PasswordReset.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Task #100295

Prevent setting empty password in backend password recovery

Updated by Torben Hansen over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Gerrit Code Review over 1 year ago

Updated by Torben Hansen over 1 year ago

Updated by Benni Mack 10 months ago