1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
<?php
/**
* Password policy checks
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* http://www.gnu.org/copyleft/gpl.html
*
* @file
*/
namespace MediaWiki\Password;
use MediaWiki\Status\Status;
use MediaWiki\User\UserIdentity;
use Wikimedia\CommonPasswords\CommonPasswords;
/**
* Functions to check passwords against a policy requirement.
*
* $policyVal is the value configured in $wgPasswordPolicy. If the return status is fatal,
* the user won't be allowed to log in. If the status is not good but not fatal, the user
* will not be allowed to set the given password (on registration or password change),
* but can still log in after bypassing a warning.
*
* @since 1.26
* @see $wgPasswordPolicy
*/
class PasswordPolicyChecks {
/**
* Check password is longer than the minimum, not fatal.
* @param int $policyVal minimal length
* @param UserIdentity $user
* @param string $password
* @return Status error if $password is shorter than $policyVal
*/
public static function checkMinimalPasswordLength( $policyVal, UserIdentity $user, $password ) {
$status = Status::newGood();
if ( $policyVal > strlen( $password ) ) {
$status->error( 'passwordtooshort', $policyVal );
}
return $status;
}
/**
* Check password is longer than the minimum, fatal.
* Intended for locking out users with passwords too short to trust, requiring them
* to recover their account by some other means.
* @param int $policyVal minimal length
* @param UserIdentity $user
* @param string $password
* @return Status fatal if $password is shorter than $policyVal
*/
public static function checkMinimumPasswordLengthToLogin( $policyVal, UserIdentity $user, $password ) {
$status = Status::newGood();
if ( $policyVal > strlen( $password ) ) {
$status->fatal( 'passwordtooshort', $policyVal );
}
return $status;
}
/**
* Check password is shorter than the maximum, fatal.
* Intended for preventing DoS attacks when using a more expensive password hash like PBKDF2.
* @param int $policyVal maximum length
* @param UserIdentity $user
* @param string $password
* @return Status fatal if $password is shorter than $policyVal
*/
public static function checkMaximalPasswordLength( $policyVal, UserIdentity $user, $password ) {
$status = Status::newGood();
if ( $policyVal < strlen( $password ) ) {
$status->fatal( 'passwordtoolong', $policyVal );
}
return $status;
}
/**
* Check if a password is a (case-insensitive) substring within the username.
* @param bool $policyVal true to force compliance.
* @param UserIdentity $user
* @param string $password
* @return Status error if the password is a substring within username, and the policy is true
*/
public static function checkPasswordCannotBeSubstringInUsername(
$policyVal,
UserIdentity $user,
$password
) {
$status = Status::newGood();
$username = $user->getName();
if ( $policyVal && stripos( $username, $password ) !== false ) {
$status->error( 'password-substring-username-match' );
}
return $status;
}
/**
* Check if username and password are on a list of past MediaWiki default passwords.
* @param bool $policyVal true to force compliance.
* @param UserIdentity $user
* @param string $password
* @return Status error if the username and password match, and policy is true
*/
public static function checkPasswordCannotMatchDefaults( $policyVal, UserIdentity $user, $password ) {
static $blockedLogins = [
// r75589
'Useruser' => 'Passpass',
'Useruser1' => 'Passpass1',
// r75605
'Apitestsysop' => 'testpass',
'Apitestuser' => 'testpass',
];
$status = Status::newGood();
$username = $user->getName();
if ( $policyVal ) {
if (
isset( $blockedLogins[$username] ) &&
hash_equals( $blockedLogins[$username], $password )
) {
$status->error( 'password-login-forbidden' );
}
// Example from ApiChangeAuthenticationRequest
if ( hash_equals( 'ExamplePassword', $password ) ) {
$status->error( 'password-login-forbidden' );
}
}
return $status;
}
/**
* Ensure the password isn't in the list of common passwords by the
* wikimedia/common-passwords library, which contains (as of 0.2.0) the
* 100,000 top passwords from SecLists (as a Bloom filter, with an
* 0.000001 false positive ratio).
*
* @param bool $policyVal Whether to apply this policy
* @param UserIdentity $user
* @param string $password
*
* @since 1.33
*
* @return Status
*/
public static function checkPasswordNotInCommonList( $policyVal, UserIdentity $user, $password ) {
$status = Status::newGood();
if ( $policyVal && CommonPasswords::isCommon( $password ) ) {
$status->error( 'passwordincommonlist' );
}
return $status;
}
}
|
