Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invitation process doesn't trigger insecure password check #19573

Closed
Findus23 opened this issue Jul 27, 2022 · 0 comments · Fixed by #19576
Closed

Invitation process doesn't trigger insecure password check #19573

Findus23 opened this issue Jul 27, 2022 · 0 comments · Fixed by #19576
Assignees
Labels
Bug For errors / faults / flaws / inconsistencies etc. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Milestone

Comments

@Findus23
Copy link
Member

Whenever a new user in Matomo is created or a password is changed Matomo calls the UsersManager.checkPassword event and if it fails, warns the user that the password is insecure.

public static function checkPassword($password)

That's used by https://plugins.matomo.org/PasswordVerifier and other plugins to disallow some kind of passwords.

But with the new invitation process and acceptInvitation() this function is never called in the process and only the builtin basic check is done:

// validate password
if (!UsersManager::isValidPasswordString($password)) {
$error = Piwik::translate('UsersManager_ExceptionInvalidPassword', [UsersManager::PASSWORD_MIN_LENGTH]);
}

This means users could sign up with passwords that don't match the password requirements.

Matomo Version: 04c1149

@Findus23 Findus23 added the Bug For errors / faults / flaws / inconsistencies etc. label Jul 27, 2022
@Findus23 Findus23 added this to the 4.12.0 milestone Jul 27, 2022
@peterhashair peterhashair self-assigned this Jul 27, 2022
@peterhashair peterhashair linked a pull request Jul 27, 2022 that will close this issue
11 tasks
@sgiehl sgiehl modified the milestones: 4.12.0, 4.11.0 Jul 28, 2022
@sgiehl sgiehl closed this as completed Aug 1, 2022
@justinvelluppillai justinvelluppillai added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Sep 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants