[Bug 19514] New: No Password restrictions in onboarding tool patron creation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Bug ID: 19514 Summary: No Password restrictions in onboarding tool patron creation Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: ASSIGNED Severity: critical Priority: P3 Component: Installation and upgrade (web-based installer) Assignee: alexbuckley@catalyst.net.nz Reporter: alexbuckley@catalyst.net.nz QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com When a superlibrarian user account is created in the onboarding tool there is no checking of the password other than checking the two inputted password values are matching. This means the password length, complexity and if it contains whitespace is not checked. This means users can enter in weak passwords causing a security vulnerability which is particularly bad in this case because a superlibrarian user is being created. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 --- Comment #1 from Alex Buckley <alexbuckley@catalyst.net.nz> --- Created attachment 68386 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68386&action=edit Bug 19514 - Password restrictions implemented into onboarding tool Test plan: 1. Drop and recreate your database 2. Restart memcached 3. Go through the web installer 4. In the onboarding tool create a patron with a password of only 2 characters in length 5. Notice the patron is successfully created and no warning message is displayed 6. Repeat step 1,2,3 and create a patron with a password of 3 characters none of which are a uppercase letter or number and notice the patron is successfully created and no warning message is displayed 7. Apply patch 8. Repeat steps 1,2,3 and create a patron with a password consisting of 2 characters, notice that after submitting the form the same form is loaded again and there is a warning message at the top of the page informing you the patron wasn't created 9. Repeat steps 1,2,3 and create a patron with a password consisting of 3 characters (all lower case) and submit the form, notice the same form is reloaded and a warning message at the top of the page informs you that the patron wasn't created because the password was weak 10. Repeat steps 1,2,3 and create a patron with a password consisting of 3 characters (one lower case letter, one upper case letter and one number) and submit the form and notice this time the next form in the onboarding is displayed with the message at the top of the screen informing you that the patron was successfully created Sponsored-By: Catalyst IT -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Alex Buckley <alexbuckley@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #68386|0 |1 is obsolete| | --- Comment #2 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 68387 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68387&action=edit Bug 19514 - Password restrictions implemented into onboarding tool Test plan: 1. Drop and recreate your database 2. Restart memcached 3. Go through the web installer 4. In the onboarding tool create a patron with a password of only 2 characters in length 5. Notice the patron is successfully created and no warning message is displayed 6. Repeat step 1,2,3 and create a patron with a password of 3 characters none of which are a uppercase letter or number and notice the patron is successfully created and no warning message is displayed 7. Apply patch 8. Repeat steps 1,2,3 and create a patron with a password consisting of 2 characters, notice that after submitting the form the same form is loaded again and there is a warning message at the top of the page informing you the patron wasn't created 9. Repeat steps 1,2,3 and create a patron with a password consisting of 3 characters (all lower case) and submit the form, notice the same form is reloaded and a warning message at the top of the page informs you that the patron wasn't created because the password was weak 10. Repeat steps 1,2,3 and create a patron with a password consisting of 3 characters (one lower case letter, one upper case letter and one number) and submit the form and notice this time the next form in the onboarding is displayed with the message at the top of the screen informing you that the patron was successfully created Sponsored-By: Catalyst IT Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl --- Comment #3 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- As discussed on IRC: Did you plan to change the setting of minimum password length in onboarding too on another patch ? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=18308 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 --- Comment #4 from Alex Buckley <alexbuckley@catalyst.net.nz> --- Hi Marcel Yes I plan to have a patch attached to bug 18308 for setting the minimum password length in the onboarding tool -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA CC| |jonathan.druart@bugs.koha-c | |ommunity.org --- Comment #5 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Alex, it works but there is no client-side validation Take a look at commit 7cc65af6ffdabbabe7ae3463f51096de375216ad Bug 18298: Use the validate jQuery plugin We want this form to behave like others. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Alex Buckley <alexbuckley@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |In Discussion --- Comment #6 from Alex Buckley <alexbuckley@catalyst.net.nz> --- Hi Jonathan I have tried implemented the client side validation by doing the following: 1. Adding the following pragma at the start of onboardingstep3.tt: [% USE Koha %] 2. Adding the following to the bottom of the same file: [% PROCESS 'password_check.inc' %] [% PROCESS 'add_password_check' new_password => 'newpassword' %] 3. Added the following to the validation in the ../../../js/onboarding.js password: required: true, password_strong: true password_no_spaces: true },? password2: { required: true, password_match: true } . I notice that I get the JS error 'TypeError: _(...).format is not a function. This error is not thrown by the memberentrygen.tt file which uses the same client side validation. Can you give me any suggestions as to how to fix this issue -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 --- Comment #7 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 68982 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=68982&action=edit Bug 19514: Add client-side check -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Discussion |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 David Bourgault <david.bourgault@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #68387|0 |1 is obsolete| | --- Comment #8 from David Bourgault <david.bourgault@inlibro.com> --- Created attachment 69208 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=69208&action=edit Bug 19514 - Password restrictions implemented into onboarding tool Test plan: 1. Drop and recreate your database 2. Restart memcached 3. Go through the web installer 4. In the onboarding tool create a patron with a password of only 2 characters in length 5. Notice the patron is successfully created and no warning message is displayed 6. Repeat step 1,2,3 and create a patron with a password of 3 characters none of which are a uppercase letter or number and notice the patron is successfully created and no warning message is displayed 7. Apply patch 8. Repeat steps 1,2,3 and create a patron with a password consisting of 2 characters, notice that after submitting the form the same form is loaded again and there is a warning message at the top of the page informing you the patron wasn't created 9. Repeat steps 1,2,3 and create a patron with a password consisting of 3 characters (all lower case) and submit the form, notice the same form is reloaded and a warning message at the top of the page informs you that the patron wasn't created because the password was weak 10. Repeat steps 1,2,3 and create a patron with a password consisting of 3 characters (one lower case letter, one upper case letter and one number) and submit the form and notice this time the next form in the onboarding is displayed with the message at the top of the screen informing you that the patron was successfully created Sponsored-By: Catalyst IT Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: David Bourgault <david.bourgault@inlibro.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 David Bourgault <david.bourgault@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #68982|0 |1 is obsolete| | --- Comment #9 from David Bourgault <david.bourgault@inlibro.com> --- Created attachment 69209 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=69209&action=edit Bug 19514: Add client-side check Signed-off-by: David Bourgault <david.bourgault@inlibro.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 David Bourgault <david.bourgault@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off CC| |david.bourgault@inlibro.com --- Comment #10 from David Bourgault <david.bourgault@inlibro.com> --- Tested working on Firefox 57, Chrome 62 and Opera 49. Did not work on Firefox 58 from the mozillateam/firefox-next PPA (ubuntu). Marking as signed-off anyway since Firefox 58 is considered beta, and this provides both server-side and client-side validation. QA tool green. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|critical |major --- Comment #11 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Lowering severity, this does not appear critical to me. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Alex Buckley <alexbuckley@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |18308 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18308 [Bug 18308] Default value of minPasswordLength should be increased -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #69208|0 |1 is obsolete| | --- Comment #12 from Josef Moravec <josef.moravec@gmail.com> --- Created attachment 69796 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=69796&action=edit Bug 19514 - Password restrictions implemented into onboarding tool Test plan: 1. Drop and recreate your database 2. Restart memcached 3. Go through the web installer 4. In the onboarding tool create a patron with a password of only 2 characters in length 5. Notice the patron is successfully created and no warning message is displayed 6. Repeat step 1,2,3 and create a patron with a password of 3 characters none of which are a uppercase letter or number and notice the patron is successfully created and no warning message is displayed 7. Apply patch 8. Repeat steps 1,2,3 and create a patron with a password consisting of 2 characters, notice that after submitting the form the same form is loaded again and there is a warning message at the top of the page informing you the patron wasn't created 9. Repeat steps 1,2,3 and create a patron with a password consisting of 3 characters (all lower case) and submit the form, notice the same form is reloaded and a warning message at the top of the page informs you that the patron wasn't created because the password was weak 10. Repeat steps 1,2,3 and create a patron with a password consisting of 3 characters (one lower case letter, one upper case letter and one number) and submit the form and notice this time the next form in the onboarding is displayed with the message at the top of the screen informing you that the patron was successfully created Sponsored-By: Catalyst IT Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: David Bourgault <david.bourgault@inlibro.com> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #69209|0 |1 is obsolete| | --- Comment #13 from Josef Moravec <josef.moravec@gmail.com> --- Created attachment 69797 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=69797&action=edit Bug 19514: Add client-side check Signed-off-by: David Bourgault <david.bourgault@inlibro.com> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |josef.moravec@gmail.com |y.org | CC| |josef.moravec@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master --- Comment #14 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Pushed to master for 18.05, thanks to everybody involved! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nick@bywatersolutions.com Status|Pushed to Master |Pushed to Stable --- Comment #15 from Nick Clemens <nick@bywatersolutions.com> --- Awesome work all! Pushed to stable for 17.11.02 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Fridolin SOMERS <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m --- Comment #16 from Fridolin SOMERS <fridolin.somers@biblibre.com> --- Pushed to 17.05.x for v17.05.08 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Fridolin SOMERS <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |18298 --- Comment #17 from Fridolin SOMERS <fridolin.somers@biblibre.com> --- Ouch depends on Bug 18298 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18298 [Bug 18298] Allow enforcing password complexity -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 --- Comment #18 from Fridolin SOMERS <fridolin.somers@biblibre.com> --- (In reply to Fridolin SOMERS from comment #16)
Pushed to 17.05.x for v17.05.08
I choose to revert since depends on new 17.11 feature Bug 18298 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19514 Fridolin SOMERS <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|Pushed to Stable |RESOLVED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org