This is an automated email from the ASF dual-hosted git repository. juanpablo pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 07e1f828b6d3a23b008f1197a3faaaaf2a353b00 Author: Juan Pablo Santos Rodríguez <[email protected]> AuthorDate: Sun Feb 20 22:24:32 2022 +0100 JSPWIKI-79 - Ounce Labs Security Finding: Authentication - Change Password --- .../src/main/java/org/apache/wiki/auth/DefaultUserManager.java | 9 ++++++--- jspwiki-main/src/main/resources/templates/default.properties | 2 ++ .../src/main/resources/templates/default_es.properties | 2 ++ .../src/main/resources/templates/default_fr.properties | 2 ++ jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp | 10 +++++----- jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp | 10 +++++----- 6 files changed, 22 insertions(+), 13 deletions(-) diff --git a/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java b/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java index 99e78c6..56ddd19 100644 --- a/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java +++ b/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java @@ -313,7 +313,6 @@ public class DefaultUserManager implements UserManager { /** {@inheritDoc} */ @Override public void validateProfile( final Context context, final UserProfile profile ) { - final boolean isNew = profile.isNew(); final Session session = context.getWikiSession(); final InputValidator validator = new InputValidator( SESSION_MESSAGES, context ); final ResourceBundle rb = Preferences.getBundle( context, InternationalizationManager.CORE_BUNDLE ); @@ -341,19 +340,23 @@ public class DefaultUserManager implements UserManager { validator.validateNotNull( profile.getFullname(), rb.getString("security.user.fullname") ); validator.validate( profile.getEmail(), rb.getString("security.user.email"), InputValidator.EMAIL ); - // If new profile, passwords must match and can't be null if( !m_engine.getManager( AuthenticationManager.class ).isContainerAuthenticated() ) { final String password = profile.getPassword(); if( password == null ) { - if( isNew ) { + if( profile.isNew() ) { + // If new profile, passwords must match and can't be null session.addMessage( SESSION_MESSAGES, rb.getString( "security.error.blankpassword" ) ); } } else { final HttpServletRequest request = context.getHttpRequest(); + final String password0 = ( request == null ) ? null : request.getParameter( "password0" ); final String password2 = ( request == null ) ? null : request.getParameter( "password2" ); if( !password.equals( password2 ) ) { session.addMessage( SESSION_MESSAGES, rb.getString( "security.error.passwordnomatch" ) ); } + if( !profile.isNew() && !getUserDatabase().validatePassword( profile.getLoginName(), password0 ) ) { + session.addMessage( SESSION_MESSAGES, rb.getString( "security.error.passwordnomatch" ) ); + } } } diff --git a/jspwiki-main/src/main/resources/templates/default.properties b/jspwiki-main/src/main/resources/templates/default.properties index 501a65f..e9fe16f 100644 --- a/jspwiki-main/src/main/resources/templates/default.properties +++ b/jspwiki-main/src/main/resources/templates/default.properties @@ -418,6 +418,8 @@ prefs.loginname.cannotset.exists=You cannot set your login name because \ prefs.password=Password * prefs.password.description=Sets your account password. It may not be blank. +prefs.password0=Current Password * +prefs.password1=New Password * prefs.password2=Password verify * prefs.password2.description=Re-type your password for verification. diff --git a/jspwiki-main/src/main/resources/templates/default_es.properties b/jspwiki-main/src/main/resources/templates/default_es.properties index 5519cde..e8b62e5 100644 --- a/jspwiki-main/src/main/resources/templates/default_es.properties +++ b/jspwiki-main/src/main/resources/templates/default_es.properties @@ -423,6 +423,8 @@ prefs.loginname.cannotset.exists=No puedes establecer tu nombre de inicio de ses prefs.password=Contrase�a * prefs.password.description=Establece la contrase�a de acceso a la cuenta. No puede estar en blanco. +prefs.password0=Contrase�a Actual * +prefs.password1=Nueva Contrase�a * prefs.password2=Verificaci�n de contrase�a * prefs.password2.description=Escribe tu contrase�a otra vez para verificarla. diff --git a/jspwiki-main/src/main/resources/templates/default_fr.properties b/jspwiki-main/src/main/resources/templates/default_fr.properties index a692aca..835b776 100644 --- a/jspwiki-main/src/main/resources/templates/default_fr.properties +++ b/jspwiki-main/src/main/resources/templates/default_fr.properties @@ -466,6 +466,8 @@ prefs.loginname.cannotset.exists=Vous ne pouvez pas fixer votre identifiant car prefs.password=Mot de passe * prefs.password.description=Fixe le mot de passe de votre compte. Il ne peut pas \u00EAtre blanc. +prefs.password0=Mot de passe actuel * +prefs.password1=nNouveau mot de passe * prefs.password2=V\u00E9rification du mot de passe * prefs.password2.description=Re-saisissez votre mot de passe pour v\u00E9rification. diff --git a/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp b/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp index 50349af..969734f 100644 --- a/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp @@ -40,7 +40,7 @@ value='profile'/></wiki:Link></wiki:CheckRequestContext>" id="editProfile" class="wikiform" - onsubmit="return Wiki.submitOnce( this );" + onsubmit="return Wiki.submitOnce( this );" method="post" accept-charset="UTF-8"> <h3> @@ -80,12 +80,12 @@ <!-- Password; not displayed if container auth used --> <wiki:UserProfile property="canChangePassword"> <tr> + <td><label for="password0">Old</label> </label></td> + <td><input type="password" name="password0" id="password0" size="20" value="" /> </td> + </tr> + <tr> <td><label for="password"><fmt:message key="prefs.password"/></label></td> <td> - <%--FIXME Enter Old PW to validate change flow, not yet treated by JSPWiki - <label for="password0">Old</label> - <input type="password" name="password0" id="password0" size="20" value="" /> - --%> <input type="password" name="password" id="password" size="20" value="" /> </td> </tr> diff --git a/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp b/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp index d37b275..36a7bef 100644 --- a/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp @@ -98,11 +98,11 @@ <!-- Password field; not displayed if container auth used --> <wiki:UserProfile property="canChangePassword"> <div class="form-group"> - <label class="control-label form-col-20" for="password"><fmt:message key="prefs.password"/></label> - <%--FIXME Enter Old PW to validate change flow, not yet treated by JSPWiki - <label class="control-label form-col-20" for="password0">Old</label> - <input type="password" name="password0" id="password0" size="20" value="" /> - --%> + <label class="control-label form-col-20" for="password0"><fmt:message key="prefs.password0"/></label> + <input class="form-control form-col-50" type="password" name="password0" id="password0" size="20" value="" /> + </div> + <div class="form-group"> + <label class="control-label form-col-20" for="password"><fmt:message key="prefs.password1"/></label> <input class="form-control form-col-50" type="password" name="password" id="password" size="20" value="" required/> </div> <div class="form-group">
