Page MenuHomePhabricator

Installer allows creating an admin password which is too short
Closed, ResolvedPublic

Description

T94774 changed the minimal password length for admins to 8, but the installer was not updated and still allows creating a password of any length. When you try to log in to your new wiki, you're immediately greeted with a password reset form complaining about your tiny password.

Event Timeline

Majr created this task.Oct 16 2015, 2:31 PM
Majr raised the priority of this task from to Needs Triage.
Majr updated the task description. (Show Details)
Majr added a project: MediaWiki-Installer.
Majr added a subscriber: Majr.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 16 2015, 2:31 PM

From my point of understand, does it mean that wiki password before(earlier versions) could take varying length of password but now the minimum length is 8 chars. So if someones password was say less than 8 chars (<8 chars) if he/she wants to login to the new release (1.26) he/she will be asked to reset the password?

If my understanding of this task is true, then i will like to work on this task :)

The only problem that i am having is that i need to know where the installer instance in Wiki is so i can access the codes. :)

D3r1ck01 claimed this task.Oct 16 2015, 5:15 PM

User::checkPasswordValidity is called in the WebInstallerPage.php, but at that time the user group is not set, because setting the user group needs a database, which is not created yet. Therefore the password policy for sysop user group cannot be checked at this point.

I don't understand clearly what this task is to do. I can see that some policies are set to 8 for MinimulPasswordLength so i am kind of confused which of them should be used. I know that the check is done when the submit() function is called in WebInstallerPage.php. So i don't know which policy is check and also the check of the password length.

D3r1ck01 removed D3r1ck01 as the assignee of this task.Oct 16 2015, 10:03 PM

Change 249722 had a related patch set uploaded (by TTO):
Installer: Validate password against sysop/bureaucrat policies

https://gerrit.wikimedia.org/r/249722

TTO added a subscriber: TTO.Oct 29 2015, 12:33 PM

This was fixed by @csteipp in rMW66147c798aaf: Check install user's password as sysop/bureaucrat, then effectively reverted, for slightly unclear reasons, in rMW6a69a4eb733b: Add "purpose" to password validity check. That latter patch was in response to T104615, which didn't seem to have anything to do with the installer, so I'm a bit puzzled.

demon triaged this task as High priority.Nov 2 2015, 7:27 PM
demon moved this task from Backlog to To be backported on the MW-1.26-release board.

Change 249722 merged by jenkins-bot:
Installer: Validate password against sysop/bureaucrat policies

https://gerrit.wikimedia.org/r/249722

Change 250488 had a related patch set uploaded (by Chad):
Installer: Validate password against sysop/bureaucrat policies

https://gerrit.wikimedia.org/r/250488

Change 250488 merged by jenkins-bot:
Installer: Validate password against sysop/bureaucrat policies

https://gerrit.wikimedia.org/r/250488

demon closed this task as Resolved.Nov 2 2015, 8:36 PM
demon claimed this task.
demon moved this task from To be backported to Done on the MW-1.26-release board.