Menu
▾
▴
[SM-PLUGINS] changing SASL passwords
|
From: Brad J. D. <buc...@us...> - 2003-08-25 23:00:55
|
G'day folx,
As we use Cyrus and SASL here, I tried to make use of the new chg_sasl_pa=
ss
plugin and had some difficulty. I don't know if some of it is related to =
my
install of SM 1.4.1 or if the issues are broader than that. Our site is b=
ehind
SSL and not accessable via the standard http port 80 at all. Here are som=
e of
the things that I found:
1) security issue, it allows the a user to attempt to change someone else=
s
password: fixed by removing the Username field
2) does not do any minimum password length checks: added a config.php fil=
e and
a check to make sure str_len(new_pass) > minlenth; (could add various oth=
er
rules such as case mixtures, numeric and special char requirements, plus
dictionary based words used, but I didn't have the energy or time...)
3) does not maintain the user's selected theme and color settings: correc=
ted
order of include_once's to fix this, plus the SM_PATH and chdir had to be
changed and associated code
4) the header was sent before the META REFRESH on a successfull change: I=
moved
displayPageHeader lower in the code and added the JavaScript code to avoi=
d SSL
errors when going to the signout page. Do some browsers use <Meta> tages =
in
the body?
5) it was also missing a version file
6) certain password chars were getting escaped, leaving the user with a n=
ew
password but unless they knew how PHP escaped them, they were unable to l=
og
back in: removed escapeshellcmd (is this a good thing???) and added a qui=
ck
message saying the change was successful
Question on #6: now I know that filtering user input for things like buff=
er
overflows, embedded shell commands, etc... is a good thing. But we would =
want
to take the password verbatem as the user supplied it, as long as it fit
within the password rules. Am I missing something and we should really es=
cape
the new passwords and then unescape them or something like that?
That's all for now. Back to testing my new code, then I'll send a patch o=
ff to
Galen Johnson for review.
l8'r,
Brad
--
require_once=A0('legalese.php');
require_once=A0('email_EULA.php');
require_once=A0('standard_disclaimer');
standard_disclaimer($GNEW);
|