Item11286: Password tests fail if user has missing password

The password tests are dependent upon order of execution. If the "Auto" tests don't run before the plain text password tests, the test fails.

• auto tests are modifying the test cases, removing a blank password
• The doTest routine doesn't handle blank passwords.

Tests need to verify

• Password database with blank password cannot be used to login.
• blank password in db is valid - indicates that account is disabled.

-- GeorgeClark - 23 Nov 2011

Crawford, During our discussion today, if a password entry is empty in the .htpasswd file, you said that means cos a null password means - IIRC - "don't let this idiot log in, and don't let them re-register again using this name"

It doesn't look like there are explicit checks for this condition, so we need to hold up and make sure my previous password changes are not opening anything up

• Password DB has null entry
  • No password test should succeed.
  • Password change not permitted (not possible to validate old password)
  • Password reset by user should be blocked (it is)
  • Only recovery is manual edit of password file from shell? - No - admin can still change password
• Entered password is empty.
  • allow the empty password to be encrypted and written to db. Meaning an empty password is supported. This is how it works currently in 1.1.4
  • minimum password length allows this to be controlled.

Enforce this in HtPasswdUser.pm

Bumping this to urgent, Currently all of the "encrypted" password formats permit a empty password, assuming that the minimum password length test passes. I have not actually tried that at the UI level

-- GeorgeClark - 24 Nov 2011

Not as bad as I thought. I see in code comments that admin reset of null encrypted password is permitted. I've added a unit test to verify various combinations of empty passwords with all hashes. Found some issues with reset. But login handling is safe.

-- GeorgeClark - 24 Nov 2011

(07:49:21) SvenDowideit_: CDot you were the one that insisted that zero length pwd should mean 'can login without pwd'
(07:49:29) SvenDowideit_: as you used that for testing at the time
(07:49:42) ***CDot got in trouble for changing the semantics and changed it back, IIRC
(07:49:44) SvenDowideit_: i'm happier to have it mean 'go away'
(07:49:52) CDot: long time ago
(07:50:15) SvenDowideit_: i don't know, i do recal having to code it to allow you to loging without when i did the usermapper stuff
(07:50:39) SvenDowideit_: guess the only way to know, is 'what did you and i write the unit tests to say'
(07:51:04) SvenDowideit_: which sounds like a final stab at how much neither of us really meant it :/
(07:51:35) CDot: aye. You probably recall hwsnbn kicking up a fuss, because he used the "null pw" to disable spammers on t.o
(07:51:55) SvenDowideit_: mmm, actually, i recal the proceedure to be more messy
(07:52:28) SvenDowideit_: but then he never doccoed what he did, it was more like, change pwd to non-null and change email addr to him
(07:52:37) CDot: ok, i never actually did it (wasn't worthy to be an admin on t.o) but that was the flame i got

So, the conclusion is "we don't know". Your response - fixing the tests - is absolutely the right way to go.

-- CrawfordCurrie - 24 Nov 2011

Commenting is disabled while not logged in