#193 min_password_length ignored if current password check fails

closed-fixed
nobody
Core (82)
5
2013-12-01
2010-04-15
No

In the user's change password form, if the current password field doesn't match the current password and the new password fields are shorter than min_password_length, the "Password is too short - requires 5 characters" message is displayed, but the password is changed anyway, so both checks are circumvented. I discovered that this is due to a bug in the way errors are counted. A patch to fix it is attached.

Discussion

  • Christian Boltz

    Christian Boltz - 2010-05-18

    Oops, this shouldn't happen :-( Thanks for reporting and the patch!

    Fortunately only authentificated users can access the "change password" page, therefore the severity of this bug is limited.

    Fixed in SVN r829 (trunk), will be backported to the 2.3 branch also.

     
  • Christian Boltz

    Christian Boltz - 2010-05-18
    • status: open --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks