[freeside-commits] branch FREESIDE_3_BRANCH updated. 6f1a71826d05033213bda352f8c6753094093f56
Jonathan Prykop
jonathan at 420.am
Mon Dec 14 20:53:14 PST 2015
The branch, FREESIDE_3_BRANCH has been updated
via 6f1a71826d05033213bda352f8c6753094093f56 (commit)
via eb2c0c03d10e1561f8bfbea42b29bdf1b165c52b (commit)
via e0258f0085ce5ef7d3b21a51fd60635f1735b421 (commit)
via 0375336c45591cb3354daafa2be5fdf8e905a3ea (commit)
from 9f5cf2be392f07e6d7dd49462b14f7ee351c251e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6f1a71826d05033213bda352f8c6753094093f56
Author: Jonathan Prykop <jonathan at freeside.biz>
Date: Mon Dec 7 17:46:45 2015 -0600
RT#29354: Password Security in Email [v3 merge]
diff --git a/FS/FS/Password_Mixin.pm b/FS/FS/Password_Mixin.pm
index 327eda8..eb1db81 100644
--- a/FS/FS/Password_Mixin.pm
+++ b/FS/FS/Password_Mixin.pm
@@ -69,6 +69,29 @@ sub is_password_allowed {
return '' unless $self->get($self->primary_key); # for validating new passwords pre-insert
+ #check against customer fields
+ my $cust_main = $self->cust_main;
+ if ($cust_main) {
+ my @words;
+ # words from cust_main
+ foreach my $field ( qw( last first daytime night fax mobile ) ) {
+ push @words, split(/\W/,$cust_main->get($field));
+ }
+ # words from cust_location
+ foreach my $loc ($cust_main->cust_location) {
+ foreach my $field ( qw(address1 address2 city county state zip) ) {
+ push @words, split(/\W/,$loc->get($field));
+ }
+ }
+ # do the actual checking
+ foreach my $word (@words) {
+ next unless length($word) > 2;
+ if ($password =~ /$word/i) {
+ return qq(Password contains account information '$word');
+ }
+ }
+ }
+
if ( $conf->config('password-no_reuse') =~ /^(\d+)$/ ) {
my $no_reuse = $1;
diff --git a/FS/FS/svc_acct.pm b/FS/FS/svc_acct.pm
index e963c80..203150f 100644
--- a/FS/FS/svc_acct.pm
+++ b/FS/FS/svc_acct.pm
@@ -2785,6 +2785,7 @@ sub password_svc_check {
my ($self, $password) = @_;
foreach my $field ( qw(username finger) ) {
foreach my $word (split(/\W+/,$self->get($field))) {
+ next unless length($word) > 2;
if ($password =~ /$word/i) {
return qq(Password contains account information '$word');
}
diff --git a/fs_selfservice/FS-SelfService/cgi/add_password_validation.html b/fs_selfservice/FS-SelfService/cgi/add_password_validation.js
similarity index 54%
rename from fs_selfservice/FS-SelfService/cgi/add_password_validation.html
rename to fs_selfservice/FS-SelfService/cgi/add_password_validation.js
index e349fd7..e2e3227 100644
--- a/fs_selfservice/FS-SelfService/cgi/add_password_validation.html
+++ b/fs_selfservice/FS-SelfService/cgi/add_password_validation.js
@@ -1,5 +1,4 @@
-<SCRIPT>
-function add_password_validation (fieldid) {
+function add_password_validation (fieldid,nologin) {
var inputfield = document.getElementById(fieldid);
inputfield.onchange = function () {
var fieldid = this.id+'_result';
@@ -11,19 +10,22 @@ function add_password_validation (fieldid) {
}
if (this.value) {
resultfield.innerHTML = '<SPAN STYLE="color: blue;">Validating password...</SPAN>';
+ var action = nologin ? 'validate_password_nologin' : 'validate_password';
send_xmlhttp('selfservice.cgi',
- ['action','validate_password','fieldid',fieldid,'svcnum',svcnum,'check_password',this.value],
+ ['action',action,'fieldid',fieldid,'svcnum',svcnum,'check_password',this.value],
function (result) {
result = JSON.parse(result);
var resultfield = document.getElementById(result.fieldid);
if (resultfield) {
+ var errorimg = '<IMG SRC="images/error.png" style="width: 1em; display: inline-block; padding-right: .5em">';
+ var validimg = '<IMG SRC="images/tick.png" style="width: 1em; display: inline-block; padding-right: .5em">';
if (result.valid) {
- resultfield.innerHTML = '<SPAN STYLE="color: green;">Password valid!</SPAN>';
+ resultfield.innerHTML = validimg+'<SPAN STYLE="color: green;">Password valid!</SPAN>';
} else if (result.error) {
- resultfield.innerHTML = '<SPAN STYLE="color: red;">'+result.error+'</SPAN>';
+ resultfield.innerHTML = errorimg+'<SPAN STYLE="color: red;">'+result.error+'</SPAN>';
} else {
result.syserror = result.syserror || 'Server error';
- resultfield.innerHTML = '<SPAN STYLE="color: red;">'+result.syserror+'</SPAN>';
+ resultfield.innerHTML = errorimg+'<SPAN STYLE="color: red;">'+result.syserror+'</SPAN>';
}
}
}
@@ -33,4 +35,4 @@ function add_password_validation (fieldid) {
}
};
}
-</SCRIPT>
+
diff --git a/fs_selfservice/FS-SelfService/cgi/change_password.html b/fs_selfservice/FS-SelfService/cgi/change_password.html
index ef66554..879faf2 100644
--- a/fs_selfservice/FS-SelfService/cgi/change_password.html
+++ b/fs_selfservice/FS-SelfService/cgi/change_password.html
@@ -28,11 +28,11 @@
<TD>
<INPUT ID="new_password" TYPE="password" NAME="new_password" SIZE="18">
<DIV ID="new_password_result"></DIV>
-<%= include('send_xmlhttp') %>
-<%= include('add_password_validation') %>
-<SCRIPT>
-add_password_validation('new_password');
-</SCRIPT>
+ <SCRIPT SRC="send_xmlhttp.js"></SCRIPT>
+ <SCRIPT SRC="add_password_validation.js"></SCRIPT>
+ <SCRIPT>
+ add_password_validation('new_password');
+ </SCRIPT>
</TD>
</TR>
diff --git a/fs_selfservice/FS-SelfService/cgi/images/error.png b/fs_selfservice/FS-SelfService/cgi/images/error.png
new file mode 100644
index 0000000..628cf2d
Binary files /dev/null and b/fs_selfservice/FS-SelfService/cgi/images/error.png differ
diff --git a/fs_selfservice/FS-SelfService/cgi/images/tick.png b/fs_selfservice/FS-SelfService/cgi/images/tick.png
new file mode 100644
index 0000000..a9925a0
Binary files /dev/null and b/fs_selfservice/FS-SelfService/cgi/images/tick.png differ
diff --git a/fs_selfservice/FS-SelfService/cgi/process_forgot_password.html b/fs_selfservice/FS-SelfService/cgi/process_forgot_password.html
index ec672c8..da6fc8d 100644
--- a/fs_selfservice/FS-SelfService/cgi/process_forgot_password.html
+++ b/fs_selfservice/FS-SelfService/cgi/process_forgot_password.html
@@ -15,6 +15,7 @@
<INPUT TYPE="hidden" NAME="session_id" VALUE="<%= $session_id %>">
<INPUT TYPE="hidden" NAME="agentnum" VALUE="<%= $agentnum %>">
+<DIV STYLE="background: <%= $box_bgcolor || '#c0c0c0' %>">
<TABLE BGCOLOR="<%= $box_bgcolor || '#c0c0c0' %>" BORDER=0 CELLSPACING=2 CELLPADDING=0>
<%= if (!$error) {
@@ -23,16 +24,27 @@
<TR>
<TH ALIGN="right">New password: </TH>
- <TD><INPUT TYPE="password" NAME="new_password" SIZE="18"></TD>
+ <TD>
+ <INPUT ID="new_password" TYPE="password" NAME="new_password" SIZE="18">
+ </TD>
+ <TD>
+ <SPAN ID="new_password_result"></SPAN>
+ <SCRIPT SRC="send_xmlhttp.js"></SCRIPT>
+ <SCRIPT SRC="add_password_validation.js"></SCRIPT>
+ <SCRIPT>
+ add_password_validation('new_password',true);
+ </SCRIPT>
+ </TD>
</TR>
<TR>
<TH ALIGN="right">Re-enter new password: </TH>
<TD><INPUT TYPE="password" NAME="new_password2" SIZE="18"></TD>
+ <TD></TD>
</TR>
-
<TR>
- <TD COLSPAN=2 ALIGN="center"><INPUT TYPE="submit" VALUE="Change password"></TD>
+ <TD COLSPAN="2" ALIGN="center"><INPUT TYPE="submit" VALUE="Change password"></TD>
+ <TD></TD>
</TR>
END
@@ -40,6 +52,7 @@ END
%>
</TABLE>
+</DIV>
</FORM>
<%= $body_footer %>
diff --git a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
index f6f3c21..eac5a98 100755
--- a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
+++ b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
@@ -94,6 +94,7 @@ my @nologin_actions = (qw(
process_forgot_password
do_process_forgot_password
process_forgot_password_session
+ validate_password_nologin
));
push @actions, @nologin_actions;
my %nologin_actions = map { $_=>1 } @nologin_actions;
@@ -1118,6 +1119,14 @@ sub validate_password {
)
}
+sub validate_password_nologin {
+ $action = 'validate_password'; #use same landing page
+ validate_passwd(
+ map { $_ => scalar($cgi->param($_)) }
+ qw( fieldid check_password )
+ )
+}
+
#--
sub do_template {
diff --git a/fs_selfservice/FS-SelfService/cgi/send_xmlhttp.html b/fs_selfservice/FS-SelfService/cgi/send_xmlhttp.js
similarity index 98%
rename from fs_selfservice/FS-SelfService/cgi/send_xmlhttp.html
rename to fs_selfservice/FS-SelfService/cgi/send_xmlhttp.js
index ac85cb2..e299168 100644
--- a/fs_selfservice/FS-SelfService/cgi/send_xmlhttp.html
+++ b/fs_selfservice/FS-SelfService/cgi/send_xmlhttp.js
@@ -1,4 +1,3 @@
-<SCRIPT>
function rs_init_object () {
var A;
try {
@@ -41,5 +40,4 @@ function send_xmlhttp (url,args,callback) {
xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xmlhttp.send(content);
}
-</SCRIPT>
diff --git a/fs_selfservice/FS-SelfService/cgi/signup.cgi b/fs_selfservice/FS-SelfService/cgi/signup.cgi
index 072ce96..817fdd3 100755
--- a/fs_selfservice/FS-SelfService/cgi/signup.cgi
+++ b/fs_selfservice/FS-SelfService/cgi/signup.cgi
@@ -508,31 +508,3 @@ use FS::SelfService qw( regionselector expselect popselector domainselector
didselector
);
-sub add_password_validation {
- my $fieldid = shift;
- my $out = '';
- if ((-e './send_xmlhttp.html') && (-e './add_password_validation.html')) {
- my $template = new Text::Template( TYPE => 'FILE',
- SOURCE => "./send_xmlhttp.html",
- DELIMITERS => [ '<%=', '%>' ],
- UNTAINT => 1,
- )
- or die $Text::Template::ERROR;
- $out .= $template->fill_in( PACKAGE => 'FS::SelfService::_signupcgi' );
- $template = new Text::Template( TYPE => 'FILE',
- SOURCE => "./add_password_validation.html",
- DELIMITERS => [ '<%=', '%>' ],
- UNTAINT => 1,
- )
- or die $Text::Template::ERROR;
- $out .= $template->fill_in( PACKAGE => 'FS::SelfService::_signupcgi' );
- $out .= <<ENDOUT;
-<SCRIPT>
-add_password_validation('$fieldid');
-</SCRIPT>
-ENDOUT
- }
- return $out;
-}
-
-
diff --git a/fs_selfservice/FS-SelfService/cgi/signup.html b/fs_selfservice/FS-SelfService/cgi/signup.html
index 5900ba6..def5299 100755
--- a/fs_selfservice/FS-SelfService/cgi/signup.html
+++ b/fs_selfservice/FS-SelfService/cgi/signup.html
@@ -386,12 +386,12 @@ ENDOUT
<TD ALIGN="right">Password</TD>
<TD>
<INPUT ID="new_password" TYPE="password" NAME="_password" VALUE="$_password">
- <DIV ID="new_password_result"></DIV>
-ENDOUT
-
- $OUT .= add_password_validation('new_password');
-
- $OUT .= <<ENDOUT;
+ <SPAN ID="new_password_result"></SPAN>
+ <SCRIPT SRC="send_xmlhttp.js"></SCRIPT>
+ <SCRIPT SRC="add_password_validation.js"></SCRIPT>
+ <SCRIPT>
+ add_password_validation('new_password',true);
+ </SCRIPT>
</TD>
</TR>
<TR>
diff --git a/httemplate/elements/validate_password.html b/httemplate/elements/validate_password.html
index fd2cb6c..a488c4f 100644
--- a/httemplate/elements/validate_password.html
+++ b/httemplate/elements/validate_password.html
@@ -32,13 +32,15 @@ function add_password_validation (fieldid) {
result = JSON.parse(result);
var resultfield = document.getElementById(result.fieldid);
if (resultfield) {
+ var errorimg = '<IMG SRC="<% $p %>images/error.png" style="width: 1em; display: inline-block; padding-right: .5em">';
+ var validimg = '<IMG SRC="<% $p %>images/tick.png" style="width: 1em; display: inline-block; padding-right: .5em">';
if (result.valid) {
- resultfield.innerHTML = '<SPAN STYLE="color: green;">Password valid!</SPAN>';
+ resultfield.innerHTML = validimg+'<SPAN STYLE="color: green;">Password valid!</SPAN>';
} else if (result.error) {
- resultfield.innerHTML = '<SPAN STYLE="color: red;">'+result.error+'</SPAN>';
+ resultfield.innerHTML = errorimg+'<SPAN STYLE="color: red;">'+result.error+'</SPAN>';
} else {
result.syserror = result.syserror || 'Server error';
- resultfield.innerHTML = '<SPAN STYLE="color: red;">'+result.syserror+'</SPAN>';
+ resultfield.innerHTML = errorimg+'<SPAN STYLE="color: red;">'+result.syserror+'</SPAN>';
}
}
}
commit eb2c0c03d10e1561f8bfbea42b29bdf1b165c52b
Author: Jonathan Prykop <jonathan at freeside.biz>
Date: Wed Dec 2 05:02:17 2015 -0600
RT#29354: Password Security in Email [xmlhttp validation for selfservice]
diff --git a/FS/FS/ClientAPI/MyAccount.pm b/FS/FS/ClientAPI/MyAccount.pm
index f50b9f1..3364821 100644
--- a/FS/FS/ClientAPI/MyAccount.pm
+++ b/FS/FS/ClientAPI/MyAccount.pm
@@ -3245,6 +3245,45 @@ sub process_reset_passwd {
}
+sub validate_passwd {
+ my $p = shift;
+
+ my %result;
+ %result = ( 'fieldid' => $p->{'fieldid'} )
+ if $p->{'fieldid'} =~ /^\w+$/;
+
+ return { %result, 'password_invalid' => 'Enter new password' }
+ unless length($p->{'check_password'});
+
+ my $svc_acct;
+ if ($p->{'svcnum'}) {
+ # false laziness with myaccount_passwd
+ my($context, $session, $custnum) = _custoragent_session_custnum($p);
+ return { %result, 'error' => $session } if $context eq 'error';
+
+ $custnum =~ /^(\d+)$/ or die "illegal custnum";
+ my $search = " AND custnum = $1";
+ $search .= " AND agentnum = ". $session->{'agentnum'} if $context eq 'agent';
+
+ $svc_acct = qsearchs( {
+ 'table' => 'svc_acct',
+ 'addl_from' => 'LEFT JOIN cust_svc USING ( svcnum ) '.
+ 'LEFT JOIN cust_pkg USING ( pkgnum ) '.
+ 'LEFT JOIN cust_main USING ( custnum ) ',
+ 'hashref' => { 'svcnum' => $p->{'svcnum'}, },
+ 'extra_sql' => $search, #important
+ } )
+ or return { %result, 'error' => "Service not found" };
+ # end false laziness
+ }
+
+ $svc_acct ||= new FS::svc_acct {};
+
+ my $error = $svc_acct->is_password_allowed($p->{'check_password'});
+ return { %result, 'password_invalid' => $error } if $error;
+ return { %result, 'password_valid' => 1 };
+}
+
sub list_tickets {
my $p = shift;
my($context, $session, $custnum) = _custoragent_session_custnum($p);
diff --git a/fs_selfservice/FS-SelfService/SelfService.pm b/fs_selfservice/FS-SelfService/SelfService.pm
index 9764ad4..7379452 100644
--- a/fs_selfservice/FS-SelfService/SelfService.pm
+++ b/fs_selfservice/FS-SelfService/SelfService.pm
@@ -95,6 +95,7 @@ $socket .= '.'.$tag if defined $tag && length($tag);
'reset_passwd' => 'MyAccount/reset_passwd',
'check_reset_passwd' => 'MyAccount/check_reset_passwd',
'process_reset_passwd' => 'MyAccount/process_reset_passwd',
+ 'validate_passwd' => 'MyAccount/validate_passwd',
'list_tickets' => 'MyAccount/list_tickets',
'create_ticket' => 'MyAccount/create_ticket',
'get_ticket' => 'MyAccount/get_ticket',
diff --git a/fs_selfservice/FS-SelfService/cgi/add_password_validation.html b/fs_selfservice/FS-SelfService/cgi/add_password_validation.html
new file mode 100644
index 0000000..e349fd7
--- /dev/null
+++ b/fs_selfservice/FS-SelfService/cgi/add_password_validation.html
@@ -0,0 +1,36 @@
+<SCRIPT>
+function add_password_validation (fieldid) {
+ var inputfield = document.getElementById(fieldid);
+ inputfield.onchange = function () {
+ var fieldid = this.id+'_result';
+ var resultfield = document.getElementById(fieldid);
+ var svcnum = '';
+ var svcfield = document.getElementById(this.id+'_svcnum');
+ if (svcfield) {
+ svcnum = svcfield.options[svcfield.selectedIndex].value;
+ }
+ if (this.value) {
+ resultfield.innerHTML = '<SPAN STYLE="color: blue;">Validating password...</SPAN>';
+ send_xmlhttp('selfservice.cgi',
+ ['action','validate_password','fieldid',fieldid,'svcnum',svcnum,'check_password',this.value],
+ function (result) {
+ result = JSON.parse(result);
+ var resultfield = document.getElementById(result.fieldid);
+ if (resultfield) {
+ if (result.valid) {
+ resultfield.innerHTML = '<SPAN STYLE="color: green;">Password valid!</SPAN>';
+ } else if (result.error) {
+ resultfield.innerHTML = '<SPAN STYLE="color: red;">'+result.error+'</SPAN>';
+ } else {
+ result.syserror = result.syserror || 'Server error';
+ resultfield.innerHTML = '<SPAN STYLE="color: red;">'+result.syserror+'</SPAN>';
+ }
+ }
+ }
+ );
+ } else {
+ resultfield.innerHTML = '';
+ }
+ };
+}
+</SCRIPT>
diff --git a/fs_selfservice/FS-SelfService/cgi/change_password.html b/fs_selfservice/FS-SelfService/cgi/change_password.html
index 22d8973..ef66554 100644
--- a/fs_selfservice/FS-SelfService/cgi/change_password.html
+++ b/fs_selfservice/FS-SelfService/cgi/change_password.html
@@ -12,7 +12,7 @@
<TR>
<TH ALIGN="right">Change password for account: </TH>
<TD>
- <SELECT NAME="svcnum">
+ <SELECT ID="new_password_svcnum" NAME="svcnum">
<%= foreach my $svc ( @svcs ) {
$OUT .= '<OPTION VALUE="'. $svc->{'svcnum'}. '"'.
( $svc->{'svcnum'} eq $svcnum ? ' SELECTED' : '' ). '>'.
@@ -25,7 +25,15 @@
<TR>
<TH ALIGN="right">New password: </TH>
- <TD><INPUT TYPE="password" NAME="new_password" SIZE="18"></TD>
+ <TD>
+ <INPUT ID="new_password" TYPE="password" NAME="new_password" SIZE="18">
+ <DIV ID="new_password_result"></DIV>
+<%= include('send_xmlhttp') %>
+<%= include('add_password_validation') %>
+<SCRIPT>
+add_password_validation('new_password');
+</SCRIPT>
+ </TD>
</TR>
<TR>
diff --git a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
index 4199f70..f6f3c21 100755
--- a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
+++ b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
@@ -23,6 +23,7 @@ use FS::SelfService qw(
mason_comp port_graph
start_thirdparty finish_thirdparty
reset_passwd check_reset_passwd process_reset_passwd
+ validate_passwd
billing_history
);
@@ -84,6 +85,7 @@ my @actions = ( qw(
customer_suspend_pkg
process_suspend_pkg
history
+ validate_password
));
my @nologin_actions = (qw(
@@ -108,7 +110,6 @@ if ( $cgi->param('action') =~ /^process_forgot_password_session_(\w+)$/ ) {
warn "WARNING: unrecognized action '$1'\n";
}
}
-
unless ( $nologin_actions{$action} ) {
my %cookies = CGI::Cookie->fetch;
@@ -1109,6 +1110,14 @@ sub do_process_forgot_password {
);
}
+sub validate_password {
+ validate_passwd(
+ 'session_id' => $session_id,
+ map { $_ => scalar($cgi->param($_)) }
+ qw( fieldid svcnum check_password )
+ )
+}
+
#--
sub do_template {
diff --git a/fs_selfservice/FS-SelfService/cgi/send_xmlhttp.html b/fs_selfservice/FS-SelfService/cgi/send_xmlhttp.html
new file mode 100644
index 0000000..ac85cb2
--- /dev/null
+++ b/fs_selfservice/FS-SelfService/cgi/send_xmlhttp.html
@@ -0,0 +1,45 @@
+<SCRIPT>
+function rs_init_object () {
+ var A;
+ try {
+ A=new ActiveXObject("Msxml2.XMLHTTP");
+ } catch (e) {
+ try {
+ A=new ActiveXObject("Microsoft.XMLHTTP");
+ } catch (oc) {
+ A=null;
+ }
+ }
+ if(!A && typeof XMLHttpRequest != "undefined")
+ A = new XMLHttpRequest();
+ if (!A)
+ alert("Can't create XMLHttpRequest object");
+ return A;
+}
+
+function send_xmlhttp (url,args,callback) {
+ args = args || [];
+ callback = callback || function (data) { return data };
+ var content = '';
+ for (var i = 0; i < args.length; i = i + 2) {
+ content = content + "&" + args[i] + "=" + escape(args[i+1]);
+ }
+ content = content.replace( /[+]/g, '%2B'); // fix unescaped plus signs
+
+ var xmlhttp = rs_init_object();
+ xmlhttp.open("POST", url, true);
+
+ xmlhttp.onreadystatechange = function() {
+ if (xmlhttp.readyState != 4)
+ return;
+ if (xmlhttp.status == 200) {
+ var data = xmlhttp.responseText;
+ callback(data);
+ }
+ };
+
+ xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
+ xmlhttp.send(content);
+}
+</SCRIPT>
+
diff --git a/fs_selfservice/FS-SelfService/cgi/signup.cgi b/fs_selfservice/FS-SelfService/cgi/signup.cgi
index 817fdd3..072ce96 100755
--- a/fs_selfservice/FS-SelfService/cgi/signup.cgi
+++ b/fs_selfservice/FS-SelfService/cgi/signup.cgi
@@ -508,3 +508,31 @@ use FS::SelfService qw( regionselector expselect popselector domainselector
didselector
);
+sub add_password_validation {
+ my $fieldid = shift;
+ my $out = '';
+ if ((-e './send_xmlhttp.html') && (-e './add_password_validation.html')) {
+ my $template = new Text::Template( TYPE => 'FILE',
+ SOURCE => "./send_xmlhttp.html",
+ DELIMITERS => [ '<%=', '%>' ],
+ UNTAINT => 1,
+ )
+ or die $Text::Template::ERROR;
+ $out .= $template->fill_in( PACKAGE => 'FS::SelfService::_signupcgi' );
+ $template = new Text::Template( TYPE => 'FILE',
+ SOURCE => "./add_password_validation.html",
+ DELIMITERS => [ '<%=', '%>' ],
+ UNTAINT => 1,
+ )
+ or die $Text::Template::ERROR;
+ $out .= $template->fill_in( PACKAGE => 'FS::SelfService::_signupcgi' );
+ $out .= <<ENDOUT;
+<SCRIPT>
+add_password_validation('$fieldid');
+</SCRIPT>
+ENDOUT
+ }
+ return $out;
+}
+
+
diff --git a/fs_selfservice/FS-SelfService/cgi/signup.html b/fs_selfservice/FS-SelfService/cgi/signup.html
index 2bc59ca..5900ba6 100755
--- a/fs_selfservice/FS-SelfService/cgi/signup.html
+++ b/fs_selfservice/FS-SelfService/cgi/signup.html
@@ -336,7 +336,8 @@ HTML::Widgets::SelectLayers->new(
<FORM name="signup_form" action="<%= $self_url %>" METHOD="POST" onsubmit="return fixup_form();"><BR><FONT SIZE="+1"><B>First package</B></FONT>
<INPUT TYPE="hidden" NAME="promo_code" VALUE="<%= $promo_code %>">
<INPUT TYPE="hidden" NAME="reg_code" VALUE="<%= $reg_code %>">
-<TABLE BGCOLOR="<%= $box_bgcolor || '#c0c0c0' %>" BORDER=0 CELLSPACING=0 WIDTH="100%">
+<DIV STYLE="background: <%= $box_bgcolor %>; width: 100%">
+<TABLE BGCOLOR="<%= $box_bgcolor || '#c0c0c0' %>" BORDER=0 CELLSPACING=0>
<TR>
<TD COLSPAN=2><SELECT NAME="pkgpart">
@@ -383,7 +384,15 @@ ENDOUT
$OUT .= <<ENDOUT;
<TR>
<TD ALIGN="right">Password</TD>
- <TD><INPUT TYPE="password" NAME="_password" VALUE="$_password"></TD>
+ <TD>
+ <INPUT ID="new_password" TYPE="password" NAME="_password" VALUE="$_password">
+ <DIV ID="new_password_result"></DIV>
+ENDOUT
+
+ $OUT .= add_password_validation('new_password');
+
+ $OUT .= <<ENDOUT;
+ </TD>
</TR>
<TR>
<TD ALIGN="right">Re-enter Password</TD>
@@ -433,6 +442,7 @@ NOMADIX
%>
</TABLE>
+</DIV>
<%=
if ( @optional_packages ) {
diff --git a/fs_selfservice/FS-SelfService/cgi/validate_password.html b/fs_selfservice/FS-SelfService/cgi/validate_password.html
new file mode 100644
index 0000000..5cc3167
--- /dev/null
+++ b/fs_selfservice/FS-SelfService/cgi/validate_password.html
@@ -0,0 +1,9 @@
+<%= use JSON;
+ encode_json({
+ 'valid' => $password_valid ? 1 : 0,
+ 'error' => $password_invalid,
+ 'syserror' => $error,
+ 'fieldid' => $fieldid,
+ 'password_debug' => $password_debug,
+ }); %>
+
diff --git a/httemplate/elements/change_password.html b/httemplate/elements/change_password.html
index 7d8daae..2b40ec1 100644
--- a/httemplate/elements/change_password.html
+++ b/httemplate/elements/change_password.html
@@ -8,7 +8,7 @@
display: none;
}
</STYLE>
-<A ID="<%$pre%>link" HREF="#" onclick="<%$pre%>toggle(true)">(<% mt('change') %>)</A>
+<A ID="<%$pre%>link" HREF="javascript:void(0)" onclick="<%$pre%>toggle(true)">(<% mt('change') %>)</A>
<DIV ID="<%$pre%>form" CLASS="passwordbox">
<FORM METHOD="POST" ACTION="<%$fsurl%>misc/process/change-password.html">
<INPUT TYPE="hidden" NAME="svcnum" VALUE="<% $svc_acct->svcnum |h%>">
commit e0258f0085ce5ef7d3b21a51fd60635f1735b421
Author: Jonathan Prykop <jonathan at freeside.biz>
Date: Tue Dec 1 20:51:33 2015 -0600
RT#29354: Password Security in Email [password_svc_check and aspell requirement]
diff --git a/FS/FS/Password_Mixin.pm b/FS/FS/Password_Mixin.pm
index ae82b96..327eda8 100644
--- a/FS/FS/Password_Mixin.pm
+++ b/FS/FS/Password_Mixin.pm
@@ -63,14 +63,9 @@ sub is_password_allowed {
$error = 'Invalid password - ' . $error if $error;
return $error if $error;
- #check against known usernames
- my @disallowed_names = $self->password_disallowed_names;
- foreach my $noname (@disallowed_names) {
- if ($password =~ /$noname/i) {
- #keeping message ambiguous to avoid leaking personal info
- return 'Password contains a disallowed word';
- }
- }
+ #check against service fields
+ $error = $self->password_svc_check($password);
+ return $error if $error;
return '' unless $self->get($self->primary_key); # for validating new passwords pre-insert
@@ -108,15 +103,15 @@ sub is_password_allowed {
'';
}
-=item password_disallowed_names
+=item password_svc_check
-Override to return a list additional words (eg usernames) not
-to be used by passwords on this service.
+Override to run additional service-specific password checks.
=cut
-sub password_disallowed_names {
- return ();
+sub password_svc_check {
+ my ($self, $password) = @_;
+ return '';
}
=item password_history_key
diff --git a/FS/FS/svc_acct.pm b/FS/FS/svc_acct.pm
index 2332505..e963c80 100644
--- a/FS/FS/svc_acct.pm
+++ b/FS/FS/svc_acct.pm
@@ -2775,29 +2775,22 @@ sub virtual_maildir {
$self->domain. '/maildirs/'. $self->username. '/';
}
-=item password_disallowed_names
+=item password_svc_check
Override, for L<FS::Password_Mixin>. Not really intended for other use.
=cut
-sub password_disallowed_names {
- my $self = shift;
- my $dbh = dbh;
- my $results = {};
- foreach my $field ( qw( username finger ) ) {
- my $sql = 'SELECT DISTINCT '.$field.' FROM svc_acct';
- my $sth = $dbh->prepare($sql)
- or die "Error preparing $sql: ". $dbh->errstr;
- $sth->execute()
- or die "Error executing $sql: ". $sth->errstr;
- foreach my $row (@{$sth->fetchall_arrayref}, $self->get($field)) {
- foreach my $word (split(/\s+/,$$row[0])) {
- $results->{lc($word)} = 1;
+sub password_svc_check {
+ my ($self, $password) = @_;
+ foreach my $field ( qw(username finger) ) {
+ foreach my $word (split(/\W+/,$self->get($field))) {
+ if ($password =~ /$word/i) {
+ return qq(Password contains account information '$word');
}
}
}
- return keys %$results;
+ return '';
}
=back
diff --git a/debian/control b/debian/control
index ae17d29..fa2a990 100644
--- a/debian/control
+++ b/debian/control
@@ -22,7 +22,7 @@ Description: Billing and trouble ticketing for service providers
Package: freeside-lib
Architecture: all
-Depends: gnupg,ghostscript,gsfonts,gzip,latex-xcolor,
+Depends: aspell-en,gnupg,ghostscript,gsfonts,gzip,latex-xcolor,
libbusiness-creditcard-perl,libcache-cache-perl,
libcache-simple-timedexpiry-perl,libchart-perl,libclass-container-perl,
libclass-data-inheritable-perl,libclass-returnvalue-perl,libcolor-scheme-perl,
commit 0375336c45591cb3354daafa2be5fdf8e905a3ea
Author: Jonathan Prykop <jonathan at freeside.biz>
Date: Sat Nov 21 01:54:21 2015 -0600
RT#29354: Password Security in Email [v3 merge]
diff --git a/FS/FS/ClientAPI/MyAccount.pm b/FS/FS/ClientAPI/MyAccount.pm
index 8ab14fc..f50b9f1 100644
--- a/FS/FS/ClientAPI/MyAccount.pm
+++ b/FS/FS/ClientAPI/MyAccount.pm
@@ -2947,12 +2947,6 @@ sub myaccount_passwd {
)
&& ! $svc_acct->check_password($p->{'old_password'});
- # should move password length checks into is_password_allowed
- $error = 'Password too short.'
- if length($p->{'new_password'}) < ($conf->config('passwordmin') || 6);
- $error = 'Password too long.'
- if length($p->{'new_password'}) > ($conf->config('passwordmax') || 8);
-
$error ||= $svc_acct->is_password_allowed($p->{'new_password'})
|| $svc_acct->set_password($p->{'new_password'})
|| $svc_acct->replace();
diff --git a/FS/FS/Password_Mixin.pm b/FS/FS/Password_Mixin.pm
index 4ecf4c6..ae82b96 100644
--- a/FS/FS/Password_Mixin.pm
+++ b/FS/FS/Password_Mixin.pm
@@ -6,6 +6,7 @@ use FS::password_history;
use Authen::Passphrase;
use Authen::Passphrase::BlowfishCrypt;
# https://rt.cpan.org/Ticket/Display.html?id=72743
+use Data::Password qw(:all);
our $DEBUG = 0;
our $conf;
@@ -44,7 +45,34 @@ sub is_password_allowed {
my $self = shift;
my $password = shift;
- # check length and complexity here
+ # basic checks using Data::Password;
+ # options for Data::Password
+ $DICTIONARY = 4; # minimum length of disallowed words
+ $MINLEN = $conf->config('passwordmin') || 6;
+ $MAXLEN = $conf->config('passwordmax') || 8;
+ $GROUPS = 4; # must have all 4 'character groups': numbers, symbols, uppercase, lowercase
+ # other options use the defaults listed below:
+ # $FOLLOWING = 3; # disallows more than 3 chars in a row, by alphabet or keyboard (ie abcd or asdf)
+ # $SKIPCHAR = undef; # set to true to skip checking for bad characters
+ # # lists of disallowed words
+ # @DICTIONARIES = qw( /usr/share/dict/web2 /usr/share/dict/words /usr/share/dict/linux.words );
+
+ my $error = IsBadPassword($password);
+ $error = 'must contain at least one each of numbers, symbols, and lowercase and uppercase letters'
+ if $error eq 'contains less than 4 character groups'; # avoid confusion
+ $error = 'Invalid password - ' . $error if $error;
+ return $error if $error;
+
+ #check against known usernames
+ my @disallowed_names = $self->password_disallowed_names;
+ foreach my $noname (@disallowed_names) {
+ if ($password =~ /$noname/i) {
+ #keeping message ambiguous to avoid leaking personal info
+ return 'Password contains a disallowed word';
+ }
+ }
+
+ return '' unless $self->get($self->primary_key); # for validating new passwords pre-insert
if ( $conf->config('password-no_reuse') =~ /^(\d+)$/ ) {
@@ -80,6 +108,17 @@ sub is_password_allowed {
'';
}
+=item password_disallowed_names
+
+Override to return a list additional words (eg usernames) not
+to be used by passwords on this service.
+
+=cut
+
+sub password_disallowed_names {
+ return ();
+}
+
=item password_history_key
Returns the name of the field in L<FS::password_history> that's the foreign
diff --git a/FS/FS/svc_acct.pm b/FS/FS/svc_acct.pm
index a8cb7ba..2332505 100644
--- a/FS/FS/svc_acct.pm
+++ b/FS/FS/svc_acct.pm
@@ -2775,6 +2775,31 @@ sub virtual_maildir {
$self->domain. '/maildirs/'. $self->username. '/';
}
+=item password_disallowed_names
+
+Override, for L<FS::Password_Mixin>. Not really intended for other use.
+
+=cut
+
+sub password_disallowed_names {
+ my $self = shift;
+ my $dbh = dbh;
+ my $results = {};
+ foreach my $field ( qw( username finger ) ) {
+ my $sql = 'SELECT DISTINCT '.$field.' FROM svc_acct';
+ my $sth = $dbh->prepare($sql)
+ or die "Error preparing $sql: ". $dbh->errstr;
+ $sth->execute()
+ or die "Error executing $sql: ". $sth->errstr;
+ foreach my $row (@{$sth->fetchall_arrayref}, $self->get($field)) {
+ foreach my $word (split(/\s+/,$$row[0])) {
+ $results->{lc($word)} = 1;
+ }
+ }
+ }
+ return keys %$results;
+}
+
=back
=head1 CLASS METHODS
diff --git a/debian/control b/debian/control
index 2e48eab..ae17d29 100644
--- a/debian/control
+++ b/debian/control
@@ -27,7 +27,8 @@ Depends: gnupg,ghostscript,gsfonts,gzip,latex-xcolor,
libcache-simple-timedexpiry-perl,libchart-perl,libclass-container-perl,
libclass-data-inheritable-perl,libclass-returnvalue-perl,libcolor-scheme-perl,
libcompress-zlib-perl,libconvert-binhex-perl,libcrypt-passwdmd5-perl,
- libcrypt-ssleay-perl,libcss-squish-perl,libdate-manip-perl,libdbd-mysql-perl,
+ libcrypt-ssleay-perl,libcss-squish-perl,
+ libdata-password-perl,libdate-manip-perl,libdbd-mysql-perl,
libdbd-pg-perl,libdbi-perl,libdbix-dbschema-perl,libdbix-searchbuilder-perl,
libdevel-stacktrace-perl,libdevel-symdump-perl,liberror-perl,
libexcel-writer-xlsx-perl,libexception-class-perl,libfile-counterfile-perl,
diff --git a/httemplate/edit/svc_acct.cgi b/httemplate/edit/svc_acct.cgi
index a5e7789..ff8e316 100755
--- a/httemplate/edit/svc_acct.cgi
+++ b/httemplate/edit/svc_acct.cgi
@@ -50,7 +50,12 @@
'required' => $part_svc->part_svc_column('_password')->required ) %>
<TD>
<INPUT TYPE="text" ID="clear_password" NAME="clear_password" VALUE="<% $password %>" SIZE=<% $pmax2 %> MAXLENGTH=<% $pmax %>>
- <& /elements/random_pass.html, 'clear_password' &>
+ <& /elements/random_pass.html, 'clear_password' &><BR>
+ <DIV ID="clear_password_result" STYLE="font-size: smaller"></DIV>
+ <& '/elements/validate_password.html',
+ 'fieldid' => 'clear_password',
+ 'svcnum' => $svcnum
+ &>
</TD>
</TR>
%}else{
diff --git a/httemplate/elements/change_password.html b/httemplate/elements/change_password.html
index 625ba1f..7d8daae 100644
--- a/httemplate/elements/change_password.html
+++ b/httemplate/elements/change_password.html
@@ -16,6 +16,12 @@
<& /elements/random_pass.html, $pre.'password', 'randomize' &>
<INPUT TYPE="submit" VALUE="change">
<INPUT TYPE="button" VALUE="cancel" onclick="<%$pre%>toggle(false)">
+ <DIV ID="<%$pre%>password_result" STYLE="font-size: smaller"></DIV>
+ <& '/elements/validate_password.html',
+ 'fieldid' => $pre.'password',
+ 'svcnum' => $svc_acct->svcnum,
+
+ &>
% if ( $error ) {
<BR><SPAN STYLE="color: #ff0000"><% $error |h %></SPAN>
% }
diff --git a/httemplate/elements/random_pass.html b/httemplate/elements/random_pass.html
index b215b77..14bbb58 100644
--- a/httemplate/elements/random_pass.html
+++ b/httemplate/elements/random_pass.html
@@ -1,13 +1,23 @@
<INPUT TYPE="button" VALUE="<% emt($label) %>" onclick="randomPass()">
<SCRIPT TYPE="text/javascript">
function randomPass() {
+ var lower='<% join('', 'a'..'z') %>';
+ var upper='<% join('', 'A'..'Z') %>';
+ var number='<% join('', '0'..'9') %>';
+ var symbol='`~!@#$%^&*-_=+:;<>,.?';
+ var pw_set=lower+upper+number+symbol;
+ var pass=[];
+ pass.push(lower.charAt(Math.floor(Math.random() * lower.length)));
+ pass.push(upper.charAt(Math.floor(Math.random() * lower.length)));
+ pass.push(number.charAt(Math.floor(Math.random() * number.length)));
+ pass.push(symbol.charAt(Math.floor(Math.random() * symbol.length)));
var i=0;
- var pw_set='<% join('', 'a'..'z', 'A'..'Z', '0'..'9' ) %>';
- var pass='';
- while(i < 8) {
+ while(i < 4) {
i++;
- pass += pw_set.charAt(Math.floor(Math.random() * pw_set.length));
+ pass.push(pw_set.charAt(Math.floor(Math.random() * pw_set.length)));
}
+ for(var j, x, i = pass.length; i; j = Math.floor(Math.random() * i), x = pass[--i], pass[i] = pass[j], pass[j] = x);
+ pass = pass.join('');
document.getElementById('<% $id %>').value = pass;
}
</SCRIPT>
diff --git a/httemplate/elements/validate_password.html b/httemplate/elements/validate_password.html
new file mode 100644
index 0000000..fd2cb6c
--- /dev/null
+++ b/httemplate/elements/validate_password.html
@@ -0,0 +1,58 @@
+<%doc>
+
+To validate passwords via javascript/xmlhttp:
+
+ <INPUT ID="password_field" TYPE="text">
+ <DIV ID="password_field_result">
+ <& '/elements/validate_password.html',
+ fieldid => 'password_field',
+ svcnum => $svcnum
+ &>
+
+The ID of the input field can be anything; the ID of the DIV in which to display results
+should be the input id plus '_result'.
+
+</%doc>
+
+<& '/elements/xmlhttp.html',
+ 'url' => $p.'misc/xmlhttp-validate_password.html',
+ 'subs' => [ 'validate_password' ],
+ 'method' => 'POST', # important not to put passwords in url
+&>
+<SCRIPT>
+function add_password_validation (fieldid) {
+ var inputfield = document.getElementById(fieldid);
+ inputfield.onchange = function () {
+ var fieldid = this.id+'_result';
+ var resultfield = document.getElementById(fieldid);
+ if (this.value) {
+ resultfield.innerHTML = '<SPAN STYLE="color: blue;">Validating password...</SPAN>';
+ validate_password('fieldid',fieldid,'svcnum','<% $opt{'svcnum'} %>','password',this.value,
+ function (result) {
+ result = JSON.parse(result);
+ var resultfield = document.getElementById(result.fieldid);
+ if (resultfield) {
+ if (result.valid) {
+ resultfield.innerHTML = '<SPAN STYLE="color: green;">Password valid!</SPAN>';
+ } else if (result.error) {
+ resultfield.innerHTML = '<SPAN STYLE="color: red;">'+result.error+'</SPAN>';
+ } else {
+ result.syserror = result.syserror || 'Server error';
+ resultfield.innerHTML = '<SPAN STYLE="color: red;">'+result.syserror+'</SPAN>';
+ }
+ }
+ }
+ );
+ } else {
+ resultfield.innerHTML = '';
+ }
+ };
+}
+add_password_validation('<% $opt{'fieldid'} %>');
+</SCRIPT>
+
+<%init>
+my %opt = @_;
+</%init>
+
+
diff --git a/httemplate/misc/xmlhttp-validate_password.html b/httemplate/misc/xmlhttp-validate_password.html
new file mode 100644
index 0000000..28dbf64
--- /dev/null
+++ b/httemplate/misc/xmlhttp-validate_password.html
@@ -0,0 +1,50 @@
+<%doc>
+Requires cgi params 'password' (plaintext) and 'sub' ('validate_password' is only
+acceptable value.) Also accepts 'svcnum' (for svc_acct, will otherwise create an
+empty dummy svc_acct) and 'fieldid' (for html post-processing, passed along in
+results for convenience.)
+
+Returns a json-encoded hashref with keys of 'valid' (set to 1 if object is valid),
+'error' (error text if password is invalid) or 'syserror' (error text if password
+could not be validated.) Only one of these keys will be set. Will also set
+'fieldid' if it was passed.
+</%doc>
+
+<% encode_json($result) %>
+
+<%init>
+
+my $validate_password = sub {
+ my %arg = $cgi->param('arg');
+ my %result;
+
+ $result{'fieldid'} = $arg{'fieldid'}
+ if $arg{'fieldid'} =~ /^\w+$/;
+
+ $result{'syserror'} = 'Request is not POST' unless $cgi->request_method eq 'POST';
+ return \%result if $result{'syserror'};
+
+ my $password = $arg{'password'};
+ $result{'syserror'} = 'Invoked without password' unless $password;
+ return \%result if $result{'syserror'};
+
+ my $svcnum = $arg{'svcnum'};
+ $result{'syserror'} = 'Invalid svcnum' unless $svcnum =~ /^\d*$/;
+ return \%result if $result{'syserror'};
+
+ my $svc_acct = $svcnum
+ ? qsearchs('svc_acct',{'svcnum' => $svcnum})
+ : (new FS::svc_acct {});
+ $result{'syserror'} = 'Could not find service' unless $svc_acct;
+ return \%result if $result{'syserror'};
+
+ $result{'error'} = $svc_acct->is_password_allowed($password);
+ $result{'valid'} = 1 unless $result{'error'};
+ return \%result;
+};
+
+my $result = ($cgi->param('sub') eq 'validate_password')
+ ? &$validate_password()
+ : { 'syserror' => 'Invalid sub' };
+
+</%init>
-----------------------------------------------------------------------
Summary of changes:
FS/FS/ClientAPI/MyAccount.pm | 45 +++++++++++++--
FS/FS/Password_Mixin.pm | 59 ++++++++++++++++++-
FS/FS/svc_acct.pm | 19 +++++++
debian/control | 5 +-
fs_selfservice/FS-SelfService/SelfService.pm | 1 +
.../FS-SelfService/cgi/add_password_validation.js | 38 +++++++++++++
.../FS-SelfService/cgi/change_password.html | 12 +++-
.../FS-SelfService/cgi}/images/error.png | Bin 666 -> 666 bytes
.../FS-SelfService/cgi}/images/tick.png | Bin 537 -> 537 bytes
.../cgi/process_forgot_password.html | 19 ++++++-
fs_selfservice/FS-SelfService/cgi/selfservice.cgi | 20 ++++++-
fs_selfservice/FS-SelfService/cgi/send_xmlhttp.js | 43 ++++++++++++++
fs_selfservice/FS-SelfService/cgi/signup.html | 14 ++++-
.../FS-SelfService/cgi/validate_password.html | 9 +++
httemplate/edit/svc_acct.cgi | 7 ++-
httemplate/elements/change_password.html | 8 ++-
httemplate/elements/random_pass.html | 18 ++++--
httemplate/elements/validate_password.html | 60 ++++++++++++++++++++
httemplate/misc/xmlhttp-validate_password.html | 50 ++++++++++++++++
19 files changed, 404 insertions(+), 23 deletions(-)
create mode 100644 fs_selfservice/FS-SelfService/cgi/add_password_validation.js
copy {httemplate => fs_selfservice/FS-SelfService/cgi}/images/error.png (100%)
copy {httemplate => fs_selfservice/FS-SelfService/cgi}/images/tick.png (100%)
create mode 100644 fs_selfservice/FS-SelfService/cgi/send_xmlhttp.js
create mode 100644 fs_selfservice/FS-SelfService/cgi/validate_password.html
create mode 100644 httemplate/elements/validate_password.html
create mode 100644 httemplate/misc/xmlhttp-validate_password.html
More information about the freeside-commits
mailing list