From: Brad J. D. <buc...@us...> - 2003-08-25 23:00:55
|
G'day folx, As we use Cyrus and SASL here, I tried to make use of the new chg_sasl_pa= ss plugin and had some difficulty. I don't know if some of it is related to = my install of SM 1.4.1 or if the issues are broader than that. Our site is b= ehind SSL and not accessable via the standard http port 80 at all. Here are som= e of the things that I found: 1) security issue, it allows the a user to attempt to change someone else= s password: fixed by removing the Username field 2) does not do any minimum password length checks: added a config.php fil= e and a check to make sure str_len(new_pass) > minlenth; (could add various oth= er rules such as case mixtures, numeric and special char requirements, plus dictionary based words used, but I didn't have the energy or time...) 3) does not maintain the user's selected theme and color settings: correc= ted order of include_once's to fix this, plus the SM_PATH and chdir had to be changed and associated code 4) the header was sent before the META REFRESH on a successfull change: I= moved displayPageHeader lower in the code and added the JavaScript code to avoi= d SSL errors when going to the signout page. Do some browsers use <Meta> tages = in the body? 5) it was also missing a version file 6) certain password chars were getting escaped, leaving the user with a n= ew password but unless they knew how PHP escaped them, they were unable to l= og back in: removed escapeshellcmd (is this a good thing???) and added a qui= ck message saying the change was successful Question on #6: now I know that filtering user input for things like buff= er overflows, embedded shell commands, etc... is a good thing. But we would = want to take the password verbatem as the user supplied it, as long as it fit within the password rules. Am I missing something and we should really es= cape the new passwords and then unescape them or something like that? That's all for now. Back to testing my new code, then I'll send a patch o= ff to Galen Johnson for review. l8'r, Brad -- require_once=A0('legalese.php'); require_once=A0('email_EULA.php'); require_once=A0('standard_disclaimer'); standard_disclaimer($GNEW); |