From 5d6b6565cd33b57b8332642dcc08d34eedcf804b Mon Sep 17 00:00:00 2001 From: Anonymous Contributor Date: Wed, 23 Aug 2023 18:16:36 +0200 Subject: [PATCH] Add minimum password length requirement --- config.example.php | 2 ++ pages/profile.php | 31 +++++++++++++++++---------- pages/register.php | 53 ++++++++++++++++++++-------------------------- 3 files changed, 45 insertions(+), 41 deletions(-) diff --git a/config.example.php b/config.example.php index fd76cbb..8633c11 100644 --- a/config.example.php +++ b/config.example.php @@ -22,4 +22,6 @@ $RUNTIME['SIDOMAN']['PASSWORD'] = "..."; $RUNTIME['DOMAIN'] = "mcp.4creative.net"; $RUNTIME['IAR']['BASEURL'] = "https://mcp.4creative.net/data/"; + +$RUNTIME['PASSWORD_MIN_LENGTH'] = 8; ?> diff --git a/pages/profile.php b/pages/profile.php index 0e8d19d..d15c6b4 100644 --- a/pages/profile.php +++ b/pages/profile.php @@ -1,5 +1,7 @@ prepare('SELECT 1 FROM UserAccounts WHERE '.$part.' = ? AND '.$otherPart.' = ?'); $query->execute(array($value, $otherValue)); @@ -49,7 +51,7 @@ $NewFirstName = trim($_POST['formInputFeldVorname']); if($NewFirstName != "" && $_SESSION['FIRSTNAME'] != $NewFirstName) { - if(setNamePart('FirstName', $NewFirstName, 'LastName', isset($_POST['formInputFeldNachname']) && trim($_POST['formInputFeldNachname']) > 0 ? $_POST['formInputFeldNachname'] : $_SESSION['LASTNAME'])) { + if(setNamePart('FirstName', $NewFirstName, 'LastName', isset($_POST['formInputFeldNachname']) && strlen(trim($_POST['formInputFeldNachname'])) > 0 ? $_POST['formInputFeldNachname'] : $_SESSION['LASTNAME'])) { $_SESSION['FIRSTNAME'] = $NewFirstName; $_SESSION['USERNAME'] = $_SESSION['FIRSTNAME']." ".$_SESSION['LASTNAME']; $_SESSION['DISPLAYNAME'] = strtoupper($_SESSION['USERNAME']); @@ -64,7 +66,7 @@ $NewLastName = trim($_POST['formInputFeldNachname']); if($NewLastName != "" && $_SESSION['LASTNAME'] != $NewLastName) { - if(setNamePart('LastName', $NewLastName, 'FirstName', isset($_POST['formInputFeldVorname']) && trim($_POST['formInputFeldVorname']) > 0 ? $_POST['formInputFeldVorname'] : $_SESSION['FIRSTNAME'])) { + if(setNamePart('LastName', $NewLastName, 'FirstName', isset($_POST['formInputFeldVorname']) && strlen(trim($_POST['formInputFeldVorname'])) > 0 ? $_POST['formInputFeldVorname'] : $_SESSION['FIRSTNAME'])) { $_SESSION['LASTNAME'] = $NewLastName; $_SESSION['USERNAME'] = $_SESSION['FIRSTNAME']." ".$_SESSION['LASTNAME']; $_SESSION['DISPLAYNAME'] = strtoupper($_SESSION['USERNAME']); @@ -98,11 +100,13 @@ } if(isset($_POST['formInputFeldPartnerName']) && $_POST['formInputFeldPartnerName'] != "") { + include_once 'app/OpenSim.php'; + $opensim = new OpenSim(); + $NewPartner = trim($_POST['formInputFeldPartnerName']); $CurrentPartner = $opensim->getPartner($_SESSION['UUID']); - include_once 'app/OpenSim.php'; - if($CurrentPartner != "")$CurrentPartner = (new OpenSim())->getUserName($CurrentPartner); + if($CurrentPartner != "")$CurrentPartner = $opensim->getUserName($CurrentPartner); if($NewPartner != "" && $CurrentPartner != $NewPartner) { $newPartnerUUID = $opensim->getUserUUID($NewPartner); @@ -127,15 +131,20 @@ if($validator->isValid($_POST)) { if($_POST['newPasswordRepeat'] == $_POST['newPassword']) { - if(password_verify($_POST['oldPassword'], $_SESSION['PASSWORD'])) { - $hash = password_hash($NewPassword, PASSWORD_ARGON2ID); - $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); - $statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]); - $_SESSION['PASSWORD'] = $hash; - $_SESSION['profile_info'] = 'Neues Passwort gespeichert.'; + if(strlen(trim($_POST['newPassword'])) >= $RUNTIME['PASSWORD_MIN_LENGTH']) { + if(password_verify($_POST['oldPassword'], $_SESSION['PASSWORD'])) { + $hash = password_hash($NewPassword, PASSWORD_ARGON2ID); + $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); + $statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]); + $_SESSION['PASSWORD'] = $hash; + $_SESSION['profile_info'] = 'Neues Passwort gespeichert.'; + } + else { + $_SESSION['profile_info'] = 'Das alte Passwort ist nicht richtig!'; + } } else { - $_SESSION['profile_info'] = 'Das alte Passwort ist nicht richtig!'; + $_SESSION['profile_info'] = 'Das neue Passwort muss mindestens '.$RUNTIME['PASSWORD_MIN_LENGTH'].' Zeichen lang sein.'; } } else { diff --git a/pages/register.php b/pages/register.php index cb7d9f5..4d4a019 100644 --- a/pages/register.php +++ b/pages/register.php @@ -54,40 +54,34 @@ die(); } - $RUNTIME['REGISTER']['Name'] = null; - $RUNTIME['REGISTER']['PASS'] = null; - $RUNTIME['REGISTER']['EMAIL'] = null; - $RUNTIME['REGISTER']['AVATAR'] = null; - $RUNTIME['REGISTER']['TOS'] = true; $name = trim($_POST['username']); - if($name != "") - { + $nameParts; + if($name != "") { $nameParts = explode(" ", $name); - if(count($nameParts) == 1) - { + if(count($nameParts) == 1) { $name .= " Resident"; $nameParts = explode(" ", $name); } $statementAvatarName = $RUNTIME['PDO']->prepare("SELECT 1 FROM UserAccounts WHERE FirstName = :FirstName AND LastName = :LastName LIMIT 1"); $statementAvatarName->execute(['FirstName' => $nameParts[0], 'LastName' => $nameParts[1]]); - if($statementAvatarName->rowCount() == 0) - { - $RUNTIME['REGISTER']['Name'] = $name; - } - else - { + if($statementAvatarName->rowCount() > 0) { displayPage("Der gewählte Name ist bereits vergeben."); } } - $RUNTIME['REGISTER']['PASS'] = trim($_POST['password']); - $RUNTIME['REGISTER']['EMAIL'] = trim($_POST['email']); - if(isset($RUNTIME['DEFAULTAVATAR'][$_POST['avatar']]['UUID'])) - { - $RUNTIME['REGISTER']['AVATAR'] = trim($_POST['avatar']); + + $pass = trim($_POST['password']); + if(strlen($pass) < $RUNTIME['PASSWORD_MIN_LENGTH']) { + displayPage('Dein Passwort muss mindestens '.$RUNTIME['PASSWORD_MIN_LENGTH'].' Zeichen lang sein.'); } - else - { + + $email = trim($_POST['email']); + + $avatar; + if(isset($RUNTIME['DEFAULTAVATAR'][$_POST['avatar']]['UUID'])) { + $avatar = trim($_POST['avatar']); + } + else { displayPage("Der gewählte Standardavatar existiert nicht."); } @@ -95,12 +89,11 @@ $opensim = new OpenSim(); $avatarUUID = $opensim->gen_uuid(); - $passwordHash = password_hash($RUNTIME['REGISTER']['PASS'], PASSWORD_ARGON2ID); - $avatarNameParts = explode(" ", $RUNTIME['REGISTER']['Name']); + $passwordHash = password_hash($pass, PASSWORD_ARGON2ID); $statementAuth = $RUNTIME['PDO']->prepare('INSERT INTO `auth` (`UUID`, `passwordHash`, `webLoginKey`, `accountType`) VALUES (:UUID, :HASHVALUE, :WEBKEY, :ACCTYPE)'); $statementAuth->execute(['UUID' => $avatarUUID, 'HASHVALUE' => $passwordHash, 'WEBKEY' => "00000000-0000-0000-0000-000000000000", 'ACCTYPE' => "UserAccount"]); $statementAccounts = $RUNTIME['PDO']->prepare('INSERT INTO `UserAccounts` (`PrincipalID`, `ScopeID`, `FirstName`, `LastName`, `Email`, `ServiceURLs`, `Created`, `UserLevel`, `UserFlags`, `UserTitle`, `active`) VALUES (:PrincipalID, :ScopeID, :FirstName, :LastName, :Email, :ServiceURLs, :Created, :UserLevel, :UserFlags, :UserTitle, :active )'); - $statementAccounts->execute(['PrincipalID' => $avatarUUID, 'ScopeID' => "00000000-0000-0000-0000-000000000000", 'FirstName' => $avatarNameParts[0], 'LastName' => $avatarNameParts[1], 'Email' => $RUNTIME['REGISTER']['EMAIL'], 'ServiceURLs' => "HomeURI= GatekeeperURI= InventoryServerURI= AssetServerURI= ", 'Created' => time(), 'UserLevel' => 0, 'UserFlags' => 0, 'UserTitle' => "", 'active' => 1]); + $statementAccounts->execute(['PrincipalID' => $avatarUUID, 'ScopeID' => "00000000-0000-0000-0000-000000000000", 'FirstName' => $nameParts[0], 'LastName' => $nameParts[1], 'Email' => $email, 'ServiceURLs' => "HomeURI= GatekeeperURI= InventoryServerURI= AssetServerURI= ", 'Created' => time(), 'UserLevel' => 0, 'UserFlags' => 0, 'UserTitle' => "", 'active' => 1]); $statementProfile = $RUNTIME['PDO']->prepare('INSERT INTO `userprofile` (`useruuid`, `profilePartner`, `profileImage`, `profileFirstImage`) VALUES (:useruuid, :profilePartner, :profileImage, :profileFirstImage)'); $statementProfile->execute(['useruuid' => $avatarUUID, 'profilePartner' => "00000000-0000-0000-0000-000000000000", 'profileImage' => "00000000-0000-0000-0000-000000000000", 'profileFirstImage' => "00000000-0000-0000-0000-000000000000"]); $Inventory = array('Calling Cards' => 2, 'Objects' => 6, 'Landmarks' => 3, 'Clothing' => 5, 'Gestures' => 21, 'Body Parts' => 13, 'Textures' => 0, 'Scripts' => 10, 'Photo Album' => 15, 'Lost And Found' => 16, 'Trash' => 14, 'Notecards' => 7, 'My Inventory' => 8, 'Sounds' => 1, 'Animations' => 20); @@ -121,14 +114,14 @@ $statementInviteDeleter = $RUNTIME['PDO']->prepare('DELETE FROM InviteCodes WHERE InviteCode = :code'); $statementInviteDeleter->execute(['code' => $_REQUEST['code']]); session_unset(); // Unset pre-session variables, next request will generate a new CSRF token - $_SESSION['USERNAME'] = trim($RUNTIME['REGISTER']['Name']); - $_SESSION['FIRSTNAME'] = trim($avatarNameParts[0]); - $_SESSION['LASTNAME'] = trim($avatarNameParts[1]); - $_SESSION['EMAIL'] = trim($RUNTIME['REGISTER']['EMAIL']); + $_SESSION['USERNAME'] = trim($name); + $_SESSION['FIRSTNAME'] = trim($nameParts[0]); + $_SESSION['LASTNAME'] = trim($nameParts[1]); + $_SESSION['EMAIL'] = $email; $_SESSION['PASSWORD'] = $passwordHash; $_SESSION['UUID'] = $avatarUUID; $_SESSION['LEVEL'] = 0; - $_SESSION['DISPLAYNAME'] = strtoupper(trim($RUNTIME['REGISTER']['Name'])); + $_SESSION['DISPLAYNAME'] = strtoupper($name); $_SESSION['LOGIN'] = 'true'; header('Location: index.php?page=dashboard');