You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by ju...@apache.org on 2022/02/20 21:25:24 UTC
[jspwiki] 05/06: JSPWIKI-79 - Ounce Labs Security Finding: Authentication - Change Password
This is an automated email from the ASF dual-hosted git repository.
juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 07e1f828b6d3a23b008f1197a3faaaaf2a353b00
Author: Juan Pablo Santos Rodríguez <ju...@gmail.com>
AuthorDate: Sun Feb 20 22:24:32 2022 +0100
JSPWIKI-79 - Ounce Labs Security Finding: Authentication - Change Password
---
.../src/main/java/org/apache/wiki/auth/DefaultUserManager.java | 9 ++++++---
jspwiki-main/src/main/resources/templates/default.properties | 2 ++
.../src/main/resources/templates/default_es.properties | 2 ++
.../src/main/resources/templates/default_fr.properties | 2 ++
jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp | 10 +++++-----
jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp | 10 +++++-----
6 files changed, 22 insertions(+), 13 deletions(-)
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java b/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java
index 99e78c6..56ddd19 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java
@@ -313,7 +313,6 @@ public class DefaultUserManager implements UserManager {
/** {@inheritDoc} */
@Override
public void validateProfile( final Context context, final UserProfile profile ) {
- final boolean isNew = profile.isNew();
final Session session = context.getWikiSession();
final InputValidator validator = new InputValidator( SESSION_MESSAGES, context );
final ResourceBundle rb = Preferences.getBundle( context, InternationalizationManager.CORE_BUNDLE );
@@ -341,19 +340,23 @@ public class DefaultUserManager implements UserManager {
validator.validateNotNull( profile.getFullname(), rb.getString("security.user.fullname") );
validator.validate( profile.getEmail(), rb.getString("security.user.email"), InputValidator.EMAIL );
- // If new profile, passwords must match and can't be null
if( !m_engine.getManager( AuthenticationManager.class ).isContainerAuthenticated() ) {
final String password = profile.getPassword();
if( password == null ) {
- if( isNew ) {
+ if( profile.isNew() ) {
+ // If new profile, passwords must match and can't be null
session.addMessage( SESSION_MESSAGES, rb.getString( "security.error.blankpassword" ) );
}
} else {
final HttpServletRequest request = context.getHttpRequest();
+ final String password0 = ( request == null ) ? null : request.getParameter( "password0" );
final String password2 = ( request == null ) ? null : request.getParameter( "password2" );
if( !password.equals( password2 ) ) {
session.addMessage( SESSION_MESSAGES, rb.getString( "security.error.passwordnomatch" ) );
}
+ if( !profile.isNew() && !getUserDatabase().validatePassword( profile.getLoginName(), password0 ) ) {
+ session.addMessage( SESSION_MESSAGES, rb.getString( "security.error.passwordnomatch" ) );
+ }
}
}
diff --git a/jspwiki-main/src/main/resources/templates/default.properties b/jspwiki-main/src/main/resources/templates/default.properties
index 501a65f..e9fe16f 100644
--- a/jspwiki-main/src/main/resources/templates/default.properties
+++ b/jspwiki-main/src/main/resources/templates/default.properties
@@ -418,6 +418,8 @@ prefs.loginname.cannotset.exists=You cannot set your login name because \
prefs.password=Password *
prefs.password.description=Sets your account password. It may not be blank.
+prefs.password0=Current Password *
+prefs.password1=New Password *
prefs.password2=Password verify *
prefs.password2.description=Re-type your password for verification.
diff --git a/jspwiki-main/src/main/resources/templates/default_es.properties b/jspwiki-main/src/main/resources/templates/default_es.properties
index 5519cde..e8b62e5 100644
--- a/jspwiki-main/src/main/resources/templates/default_es.properties
+++ b/jspwiki-main/src/main/resources/templates/default_es.properties
@@ -423,6 +423,8 @@ prefs.loginname.cannotset.exists=No puedes establecer tu nombre de inicio de ses
prefs.password=Contrase�a *
prefs.password.description=Establece la contrase�a de acceso a la cuenta. No puede estar en blanco.
+prefs.password0=Contrase�a Actual *
+prefs.password1=Nueva Contrase�a *
prefs.password2=Verificaci�n de contrase�a *
prefs.password2.description=Escribe tu contrase�a otra vez para verificarla.
diff --git a/jspwiki-main/src/main/resources/templates/default_fr.properties b/jspwiki-main/src/main/resources/templates/default_fr.properties
index a692aca..835b776 100644
--- a/jspwiki-main/src/main/resources/templates/default_fr.properties
+++ b/jspwiki-main/src/main/resources/templates/default_fr.properties
@@ -466,6 +466,8 @@ prefs.loginname.cannotset.exists=Vous ne pouvez pas fixer votre identifiant car
prefs.password=Mot de passe *
prefs.password.description=Fixe le mot de passe de votre compte. Il ne peut pas \u00EAtre blanc.
+prefs.password0=Mot de passe actuel *
+prefs.password1=nNouveau mot de passe *
prefs.password2=V\u00E9rification du mot de passe *
prefs.password2.description=Re-saisissez votre mot de passe pour v\u00E9rification.
diff --git a/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp b/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp
index 50349af..969734f 100644
--- a/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp
@@ -40,7 +40,7 @@
value='profile'/></wiki:Link></wiki:CheckRequestContext>"
id="editProfile"
class="wikiform"
- onsubmit="return Wiki.submitOnce( this );"
+ onsubmit="return Wiki.submitOnce( this );"
method="post" accept-charset="UTF-8">
<h3>
@@ -80,12 +80,12 @@
<!-- Password; not displayed if container auth used -->
<wiki:UserProfile property="canChangePassword">
<tr>
+ <td><label for="password0">Old</label> </label></td>
+ <td><input type="password" name="password0" id="password0" size="20" value="" /> </td>
+ </tr>
+ <tr>
<td><label for="password"><fmt:message key="prefs.password"/></label></td>
<td>
- <%--FIXME Enter Old PW to validate change flow, not yet treated by JSPWiki
- <label for="password0">Old</label>
- <input type="password" name="password0" id="password0" size="20" value="" />
- --%>
<input type="password" name="password" id="password" size="20" value="" />
</td>
</tr>
diff --git a/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp b/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp
index d37b275..36a7bef 100644
--- a/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp
@@ -98,11 +98,11 @@
<!-- Password field; not displayed if container auth used -->
<wiki:UserProfile property="canChangePassword">
<div class="form-group">
- <label class="control-label form-col-20" for="password"><fmt:message key="prefs.password"/></label>
- <%--FIXME Enter Old PW to validate change flow, not yet treated by JSPWiki
- <label class="control-label form-col-20" for="password0">Old</label>
- <input type="password" name="password0" id="password0" size="20" value="" />
- --%>
+ <label class="control-label form-col-20" for="password0"><fmt:message key="prefs.password0"/></label>
+ <input class="form-control form-col-50" type="password" name="password0" id="password0" size="20" value="" />
+ </div>
+ <div class="form-group">
+ <label class="control-label form-col-20" for="password"><fmt:message key="prefs.password1"/></label>
<input class="form-control form-col-50" type="password" name="password" id="password" size="20" value="" required/>
</div>
<div class="form-group">