Prestashop: PS 1.7 PASSWORD_LENGTH

Created on 18 Sep 2018  路  9Comments  路  Source: PrestaShop/PrestaShop

Describe the bug
Hi, I've tried to change PASSWORD_LENGTH into classes/Validate.php (to 8 for example). But when registering a new customer with Classic theme, the allowed length is still 5. I had a look into the html code, on the register page, and saw a pattern=".{5,}". If I change the value 5 by 1, I'm able to register a new customer with a password of 1 character. So it seems that function isPasswd(...) is never used on the controller, because there is no check on the backend of the length of the password.

To Reproduce
Steps to reproduce the behavior:

  1. Try changing password_length to 8 in classes/Validate.php
  2. Try registering a new customer with a 5 char password
  3. it will work

Screenshots
If applicable, add screenshots or screenrecords to help explain your problem.

Additionnal information
PrestaShop version: 1.7.4.2
PHP version: 7.0.31

1.7.7.x Bug Customer FO Minor PR available To Do
Source
picture anael687

Most helpful comment

@khouloudbelguith I think this is an issue we should consider, we indeed cannot rely on front-end validation that can be easily bypassed by using a cURL client.

@web-fu do you feel like making a PR with your contribution ? I can do it, but I would "steal" the credit you deserve 馃槈

picture matks on 28 Jan 2019
👍3

All 9 comments

Hi @anael687,

In the Project_folder/themes/Classic/templates/_partials/form-fiels.tpl file, you need to replace this 

{block name='form_field_item_password'}
          <div class="input-group js-parent-focus">
            <input
              class="form-control js-child-focus js-visible-password"
              name="{$field.name}"
              type="password"
              value=""
              pattern=".{literal}{{/literal}5,{literal}}{/literal}"
              {if $field.required}required{/if}
            >

By this

{block name='form_field_item_password'}
          <div class="input-group js-parent-focus">
            <input
              class="form-control js-child-focus js-visible-password"
              name="{$field.name}"
              type="password"
              value=""
              pattern=".{literal}{{/literal}8,{literal}}{/literal}"
              {if $field.required}required{/if}
            >

I close the issue, feel free topen a new one when needed.
Ps: you need to clear cache from your browser & your shop.

Best regards, Khouloud

khouloudbelguith picture khouloudbelguith on 18 Sep 2018

Thank for the prompt answer. But what about the fact it is not checked with Validate.php ?

anael687 picture anael687 on 19 Sep 2018

Hi @anael687,

It is to check the contact form about creating a new customer in BO.

Best regards, Khouloud

khouloudbelguith picture khouloudbelguith on 19 Sep 2018

I've found the same problem, and I fixed it modifying classes/form/CustomerForm.php adding at line 130:

        $passwordField = $this->getField('password');
        if (!Validate::isPasswd($passwordField->getValue())) {
            $passwordField->addError($this->translator->trans(
                'The password is not in a valid format.', array(), 'Shop.Notifications.Error'
            ));
        }

I prefer server security against Front End security

web-fu picture web-fu on 18 Dec 2018
👍1

Thank you for sharing. Much appreciated.

On 2018-12-18 08:03, web-fu wrote:

I've found the same problem, and I fixed it modifying
classes/form/CustomerForm.php adding at line 130:

    $passwordField = $this->getField('password');
    if (!Validate::isPasswd($passwordField->getValue())) {
        $passwordField->addError($this->translator->trans(
            'The password is not in a valid format.', array(),

'Shop.Notifications.Error'
));
}

I prefer server security against Front End security

--
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub [1], or mute the
thread [2].

Links:

[1]
https://github.com/PrestaShop/PrestaShop/issues/10475#issuecomment-448230775
[2]
https://github.com/notifications/unsubscribe-auth/ApXU-uY_gmxWajwniS4qEojbLL3tr0WUks5u6PWhgaJpZM4WtqNJ

anael687 picture anael687 on 26 Jan 2019

@khouloudbelguith I think this is an issue we should consider, we indeed cannot rely on front-end validation that can be easily bypassed by using a cURL client.

@web-fu do you feel like making a PR with your contribution ? I can do it, but I would "steal" the credit you deserve 馃槈

matks picture matks on 28 Jan 2019
👍3

Submitted!
I almost forgot this fix 馃憤

web-fu picture web-fu on 29 Jan 2019
👍1

Hello @PierreRambaud , is this issue still valid since a PR improving the password policy has already been merged ?

colinegin picture colinegin on 22 Oct 2019

The PR about the password policy has not been merged https://github.com/PrestaShop/PrestaShop/pull/12824 still waiting for a decision to know what we want.
Still thinking it should be merged.

PierreRambaud picture PierreRambaud on 22 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wikao2 picture wikao2  路  3Comments
centoasa picture centoasa  路  3Comments
matks picture matks  路  3Comments
prestonBot picture prestonBot  路  3Comments
Fabuloops picture Fabuloops  路  3Comments