Project

General

Profile

Actions

Bug #78880

closed

User settings: passwords get truncated without further notice

Added by Christian Futterlieb almost 8 years ago. Updated 5 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend JavaScript
Target version:
-
Start date:
2016-12-04
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Hi core team!

In the user settings form, when a new password with more than 100 chars is entered, it is truncated to 100 chars (of the plaintext password). Then the salt instance gets only the 100 chars and creates the password hash. Which leads to the situation, that a user can change his password to a value that is in fact not his password.

I think this could be solved by adding a 'maxlenght' attribute to the password fields (like in be_users tce form) and a check on the server side to prevent too long passwords to get saved (maybe by adding a 'max' option to the password fields in $GLOBALS['TYPO3_USER_SETTINGS']['columns']?).

Or for the sake of user-friendlyness it would be a nice touch, when the 'maxlenght' attribute would be omitted in favour of a js-based check which won't let the user submit the form and tells him about the problems (surely leaving the server-side check in place).

All TYPO3 versions from 6.2 through master are affected.

What do you think?

Regards, Chrstian


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Task #79532: Show remaining characters in be user settingsClosedGeorg Ringer2017-01-29

Actions
Actions #1

Updated by Riccardo De Contardi over 7 years ago

In list view there already is a javascript check for the remaining characters; the same could be used in the user settings module, I think.

Actions #2

Updated by Riccardo De Contardi almost 5 years ago

This issue still remains on 10.3.0-dev (latest master)

Actions #3

Updated by Susanne Moog over 4 years ago

  • Category set to Backend JavaScript
Actions #4

Updated by Christian Eßl over 4 years ago

  • Related to Task #79532: Show remaining characters in be user settings added
Actions #5

Updated by Gerrit Code Review over 4 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63966

Actions #6

Updated by Gerrit Code Review over 4 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63966

Actions #7

Updated by Gerrit Code Review about 4 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63966

Actions #8

Updated by Benni Mack about 3 years ago

  • Status changed from Under Review to New
Actions #9

Updated by Georg Ringer 5 months ago

  • Status changed from New to Closed

closing the issue as this couldn't be reproduced in v13 with password

m8d-6UtQLE3?$_DKgG)r:/WH;,<^w!c{Z=#`M}Cs]@n[hXxvuBm8d-6UtQLE3?$_DKgG)r:/WH;,<^w!c{Z=#`M}Cs]@n[hXxvuBm8d-6UtQLE3?$_DKgG)r:/WH;,<^w!c{Z=#`M}Cs]@n[hXxvuBm8d-6UtQLE3?$_DKgG)r:/WH;,<^w!c{Z=#`M}Cs]@n[hXxvuBm8d-6UtQLE3?$_DKgG)r:/WH;,<^w!c{Z=#`M}Cs]@n[hXxvuBm8d-6UtQLE3?$_DKgG)r:/WH;,<^w!c{Z=#`M}Cs]@n[hXxvuB

Actions

Also available in: Atom PDF