Bug #78880
openUser settings: passwords get truncated without further notice
0%
Description
Hi core team!
In the user settings form, when a new password with more than 100 chars is entered, it is truncated to 100 chars (of the plaintext password). Then the salt instance gets only the 100 chars and creates the password hash. Which leads to the situation, that a user can change his password to a value that is in fact not his password.
I think this could be solved by adding a 'maxlenght' attribute to the password fields (like in be_users tce form) and a check on the server side to prevent too long passwords to get saved (maybe by adding a 'max' option to the password fields in $GLOBALS['TYPO3_USER_SETTINGS']['columns']
?).
Or for the sake of user-friendlyness it would be a nice touch, when the 'maxlenght' attribute would be omitted in favour of a js-based check which won't let the user submit the form and tells him about the problems (surely leaving the server-side check in place).
All TYPO3 versions from 6.2 through master are affected.
What do you think?
Regards, Chrstian
Updated by Riccardo De Contardi about 7 years ago
In list view there already is a javascript check for the remaining characters; the same could be used in the user settings module, I think.
Updated by Riccardo De Contardi over 4 years ago
This issue still remains on 10.3.0-dev (latest master)
Updated by Christian Eßl about 4 years ago
- Related to Task #79532: Show remaining characters in be user settings added
Updated by Gerrit Code Review about 4 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63966
Updated by Gerrit Code Review almost 4 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63966
Updated by Gerrit Code Review over 3 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63966