Project

General

Profile

Actions

Bug #78880

closed

User settings: passwords get truncated without further notice

Added by Christian Futterlieb almost 8 years ago. Updated 5 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend JavaScript
Target version:
-
Start date:
2016-12-04
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Hi core team!

In the user settings form, when a new password with more than 100 chars is entered, it is truncated to 100 chars (of the plaintext password). Then the salt instance gets only the 100 chars and creates the password hash. Which leads to the situation, that a user can change his password to a value that is in fact not his password.

I think this could be solved by adding a 'maxlenght' attribute to the password fields (like in be_users tce form) and a check on the server side to prevent too long passwords to get saved (maybe by adding a 'max' option to the password fields in $GLOBALS['TYPO3_USER_SETTINGS']['columns']?).

Or for the sake of user-friendlyness it would be a nice touch, when the 'maxlenght' attribute would be omitted in favour of a js-based check which won't let the user submit the form and tells him about the problems (surely leaving the server-side check in place).

All TYPO3 versions from 6.2 through master are affected.

What do you think?

Regards, Chrstian


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Task #79532: Show remaining characters in be user settingsClosedGeorg Ringer2017-01-29

Actions
Actions

Also available in: Atom PDF