mirror of
https://github.com/fusionpbx/fusionpbx.git
synced 2026-03-10 02:28:47 +00:00
Security: Integrate Settings and necessary functions to enforce password complexity requirements.
Theme: Add basic password strength indicator bar. Default Settings: Also verify correct Type (name) on Upgrade > App Defaults. User: Show Nickname in Contact select if no Given or Family name. Password Reset: Integrate hide and convert password fields method to prevent browser prompt.
This commit is contained in:
reliberate
@@ -988,8 +988,8 @@ function format_string ($format, $data) {
|
||||
$password = '';
|
||||
$charset = '';
|
||||
if ($length === 0 && $strength === 0) { //set length and strenth if specified in default settings and strength isn't numeric-only
|
||||
$length = (is_numeric($_SESSION["security"]["password_length"]["var"])) ? $_SESSION["security"]["password_length"]["var"] : 10;
|
||||
$strength = (is_numeric($_SESSION["security"]["password_strength"]["var"])) ? $_SESSION["security"]["password_strength"]["var"] : 4;
|
||||
$length = (is_numeric($_SESSION["security"]["password_length"]["numeric"])) ? $_SESSION["security"]["password_length"]["numeric"] : 10;
|
||||
$strength = (is_numeric($_SESSION["security"]["password_strength"]["numeric"])) ? $_SESSION["security"]["password_strength"]["numeric"] : 4;
|
||||
}
|
||||
if ($strength >= 1) { $charset .= "0123456789"; }
|
||||
if ($strength >= 2) { $charset .= "abcdefghijkmnopqrstuvwxyz"; }
|
||||
@@ -1002,7 +1002,42 @@ function format_string ($format, $data) {
|
||||
}
|
||||
return $password;
|
||||
}
|
||||
//echo generate_password(4, 4);
|
||||
|
||||
//check password strength against requirements (if any)
|
||||
function check_password_strength($password, $text) {
|
||||
if ($password != '') {
|
||||
$req['length'] = $_SESSION['security']['password_length']['numeric'];
|
||||
$req['number'] = ($_SESSION['security']['password_number']['boolean'] == 'true') ? true : false;
|
||||
$req['lowercase'] = ($_SESSION['security']['password_lowercase']['boolean'] == 'true') ? true : false;
|
||||
$req['uppercase'] = ($_SESSION['security']['password_uppercase']['boolean'] == 'true') ? true : false;
|
||||
$req['special'] = ($_SESSION['security']['password_special']['boolean'] == 'true') ? true : false;
|
||||
if (is_numeric($req['length']) && $req['length'] != 0 && !preg_match_all('$\S*(?=\S{'.$req['length'].',})\S*$', $password)) { // length
|
||||
$msg_errors[] = $req['length'].'+ '.$text['label-characters'];
|
||||
}
|
||||
if ($req['number'] && !preg_match_all('$\S*(?=\S*[\d])\S*$', $password)) { //number
|
||||
$msg_errors[] = '1+ '.$text['label-numbers'];
|
||||
}
|
||||
if ($req['lowercase'] && !preg_match_all('$\S*(?=\S*[a-z])\S*$', $password)) { //lowercase
|
||||
$msg_errors[] = '1+ '.$text['label-lowercase_letters'];
|
||||
}
|
||||
if ($req['uppercase'] && !preg_match_all('$\S*(?=\S*[A-Z])\S*$', $password)) { //uppercase
|
||||
$msg_errors[] = '1+ '.$text['label-uppercase_letters'];
|
||||
}
|
||||
if ($req['special'] && !preg_match_all('$\S*(?=\S*[\W])\S*$', $password)) { //special
|
||||
$msg_errors[] = '1+ '.$text['label-special_characters'];
|
||||
}
|
||||
if (is_array($msg_errors) && sizeof($msg_errors) > 0) {
|
||||
$_SESSION["message"] = $text['message-password_requirements'].': '.implode(', ', $msg_errors);
|
||||
$_SESSION['message_mood'] = 'negative';
|
||||
$_SESSION['message_delay'] = '6000';
|
||||
return false;
|
||||
}
|
||||
else {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
//based on Wez Furlong do_post_request
|
||||
if (!function_exists('send_http_request')) {
|
||||
|
||||
@@ -116,16 +116,22 @@
|
||||
$password_repeat != '' &&
|
||||
$password_new == $password_repeat
|
||||
) {
|
||||
$salt = generate_password('20', '4');
|
||||
$sql = "update v_users set ";
|
||||
$sql .= "password = '".md5($salt.$password_new)."', ";
|
||||
$sql .= "salt = '".$salt."' ";
|
||||
$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
|
||||
$sql .= "and username = '".$username."' ";
|
||||
$db->exec(check_sql($sql));
|
||||
|
||||
$_SESSION["message"] = $text['message-password_reset'];
|
||||
$password_reset = false;
|
||||
if (!check_password_strength($password_new, $text)) {
|
||||
$password_reset = true;
|
||||
}
|
||||
else {
|
||||
$salt = generate_password('20', '4');
|
||||
$sql = "update v_users set ";
|
||||
$sql .= "password = '".md5($salt.$password_new)."', ";
|
||||
$sql .= "salt = '".$salt."' ";
|
||||
$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
|
||||
$sql .= "and username = '".$username."' ";
|
||||
$db->exec(check_sql($sql));
|
||||
|
||||
$_SESSION["message"] = $text['message-password_reset'];
|
||||
$password_reset = false;
|
||||
}
|
||||
}
|
||||
else {
|
||||
//not found
|
||||
@@ -253,17 +259,100 @@
|
||||
}
|
||||
else {
|
||||
|
||||
echo "<script>\n";
|
||||
echo " function compare_passwords() {\n";
|
||||
echo " if (document.getElementById('password') === document.activeElement || document.getElementById('password_confirm') === document.activeElement) {\n";
|
||||
echo " if ($('#password').val() != '' || $('#password_confirm').val() != '') {\n";
|
||||
echo " if ($('#password').val() != $('#password_confirm').val()) {\n";
|
||||
echo " $('#password').removeClass('formfld_highlight_good');\n";
|
||||
echo " $('#password_confirm').removeClass('formfld_highlight_good');\n";
|
||||
echo " $('#password').addClass('formfld_highlight_bad');\n";
|
||||
echo " $('#password_confirm').addClass('formfld_highlight_bad');\n";
|
||||
echo " }\n";
|
||||
echo " else {\n";
|
||||
echo " $('#password').removeClass('formfld_highlight_bad');\n";
|
||||
echo " $('#password_confirm').removeClass('formfld_highlight_bad');\n";
|
||||
echo " $('#password').addClass('formfld_highlight_good');\n";
|
||||
echo " $('#password_confirm').addClass('formfld_highlight_good');\n";
|
||||
echo " }\n";
|
||||
echo " }\n";
|
||||
echo " }\n";
|
||||
echo " else {\n";
|
||||
echo " $('#password').removeClass('formfld_highlight_bad');\n";
|
||||
echo " $('#password_confirm').removeClass('formfld_highlight_bad');\n";
|
||||
echo " $('#password').removeClass('formfld_highlight_good');\n";
|
||||
echo " $('#password_confirm').removeClass('formfld_highlight_good');\n";
|
||||
echo " }\n";
|
||||
echo " }\n";
|
||||
|
||||
$req['length'] = $_SESSION['security']['password_length']['numeric'];
|
||||
$req['number'] = ($_SESSION['security']['password_number']['boolean'] == 'true') ? true : false;
|
||||
$req['lowercase'] = ($_SESSION['security']['password_lowercase']['boolean'] == 'true') ? true : false;
|
||||
$req['uppercase'] = ($_SESSION['security']['password_uppercase']['boolean'] == 'true') ? true : false;
|
||||
$req['special'] = ($_SESSION['security']['password_special']['boolean'] == 'true') ? true : false;
|
||||
|
||||
echo " function check_password_strength(pwd) {\n";
|
||||
echo " if ($('#password').val() != '' || $('#password_confirm').val() != '') {\n";
|
||||
echo " var msg_errors = [];\n";
|
||||
if (is_numeric($req['length']) && $req['length'] != 0) {
|
||||
echo " var re = /.{".$req['length'].",}/;\n"; //length
|
||||
echo " if (!re.test(pwd)) { msg_errors.push('".$req['length']."+ ".$text['label-characters']."'); }\n";
|
||||
}
|
||||
if ($req['number']) {
|
||||
echo " var re = /(?=.*[\d])/;\n"; //number
|
||||
echo " if (!re.test(pwd)) { msg_errors.push('1+ ".$text['label-numbers']."'); }\n";
|
||||
}
|
||||
if ($req['lowercase']) {
|
||||
echo " var re = /(?=.*[a-z])/;\n"; //lowercase
|
||||
echo " if (!re.test(pwd)) { msg_errors.push('1+ ".$text['label-lowercase_letters']."'); }\n";
|
||||
}
|
||||
if ($req['uppercase']) {
|
||||
echo " var re = /(?=.*[A-Z])/;\n"; //uppercase
|
||||
echo " if (!re.test(pwd)) { msg_errors.push('1+ ".$text['label-uppercase_letters']."'); }\n";
|
||||
}
|
||||
if ($req['special']) {
|
||||
echo " var re = /(?=.*[\W])/;\n"; //special
|
||||
echo " if (!re.test(pwd)) { msg_errors.push('1+ ".$text['label-special_characters']."'); }\n";
|
||||
}
|
||||
echo " if (msg_errors.length > 0) {\n";
|
||||
echo " var msg = '".$text['message-password_requirements'].": ' + msg_errors.join(', ');\n";
|
||||
echo " display_message(msg, 'negative', '6000');\n";
|
||||
echo " return false;\n";
|
||||
echo " }\n";
|
||||
echo " else {\n";
|
||||
echo " return true;\n";
|
||||
echo " }\n";
|
||||
echo " }\n";
|
||||
echo " else {\n";
|
||||
echo " return true;\n";
|
||||
echo " }\n";
|
||||
echo " }\n";
|
||||
|
||||
echo " function show_strenth_meter() {\n";
|
||||
echo " $('#pwstrength_progress').slideDown();\n";
|
||||
echo " }\n";
|
||||
echo "</script>\n";
|
||||
|
||||
echo "<span id='reset_form'>\n";
|
||||
echo "<form name='reset' method='post' action=''>\n";
|
||||
echo "<form name='reset' id='frm' method='post' action=''>\n";
|
||||
echo "<input type='hidden' name='action' value='reset'>\n";
|
||||
echo "<input type='hidden' name='au' value='".md5($_SESSION['login']['password_reset_key']['text'].$username)."'>\n";
|
||||
echo "<input type='text' class='txt login' style='text-align: center; min-width: 200px; width: 200px; margin-bottom: 8px;' name='username' id='username' placeholder=\"".$text['label-username']."\"><br />\n";
|
||||
echo "<input type='password' class='txt login' style='text-align: center; min-width: 200px; width: 200px; margin-bottom: 8px;' name='password_new' autocomplete='off' placeholder=\"".$text['label-new_password']."\"><br />\n";
|
||||
echo "<input type='password' class='txt login' style='text-align: center; min-width: 200px; width: 200px; margin-bottom: 8px;' name='password_repeat' autocomplete='off' placeholder=\"".$text['label-repeat_password']."\"><br />\n";
|
||||
echo "<input type='submit' class='btn' style='width: 100px; margin-top: 15px;' value='".$text['button-save']."'>\n";
|
||||
echo "<input type='password' class='txt login' style='text-align: center; min-width: 200px; width: 200px; margin-bottom: 4px;' name='password_new' id='password' autocomplete='off' placeholder=\"".$text['label-new_password']."\" onkeypress='show_strenth_meter();' onfocus='compare_passwords();' onkeyup='compare_passwords();' onblur='compare_passwords();'><br />\n";
|
||||
echo "<div id='pwstrength_progress' class='pwstrength_progress pwstrength_progress_password_reset'></div>";
|
||||
echo "<input type='password' class='txt login' style='text-align: center; min-width: 200px; width: 200px; margin-top: 4px; margin-bottom: 8px;' name='password_repeat' id='password_confirm' autocomplete='off' placeholder=\"".$text['label-repeat_password']."\" onfocus='compare_passwords();' onkeyup='compare_passwords();' onblur='compare_passwords();'><br />\n";
|
||||
echo "<input type='button' class='btn' style='width: 100px; margin-top: 15px;' value='".$text['button-save']."' onclick=\"if (check_password_strength(document.getElementById('password').value)) { submit_form(); }\">\n";
|
||||
echo "<br><br><a class='login_link' onclick=\"document.location.href='login.php';\">".$text['label-cancel']."</a>";
|
||||
echo "</form>";
|
||||
echo "<script>document.getElementById('username').focus();</script>";
|
||||
echo "<script>\n";
|
||||
echo " document.getElementById('username').focus();\n";
|
||||
// convert password fields to text
|
||||
echo " function submit_form() {\n";
|
||||
echo " $('input:password').css('visibility','hidden');\n";
|
||||
echo " $('input:password').attr({type:'text'});\n";
|
||||
echo " $('form#frm').submit();\n";
|
||||
echo " }\n";
|
||||
echo "</script>\n";
|
||||
echo "</span>";
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user