Page MenuHomePhabricator
Create Task
Maniphest T115700

Installer allows creating an admin password which is too short
Closed, ResolvedPublic
Actions

Description

T94774 changed the minimal password length for admins to 8, but the installer was not updated and still allows creating a password of any length. When you try to log in to your new wiki, you're immediately greeted with a password reset form complaining about your tiny password.

Details

SubjectRepoBranchLines +/-
Installer: Validate password against sysop/bureaucrat policiesmediawiki/coreREL1_26+25 -12
Installer: Validate password against sysop/bureaucrat policiesmediawiki/coremaster+25 -12
Customize query in gerrit

Related Objects
Search...

Event Timeline

Majr created this task.Oct 16 2015, 2:31 PM
Majr raised the priority of this task from to Needs Triage.
Majr updated the task description. (Show Details)
Majr added a project: MediaWiki-Installer.
Majr subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 16 2015, 2:31 PM
Aklapper added projects: MW-1.26-release, good first task.Oct 16 2015, 2:45 PM
Aklapper set Security to None.
xSavitar subscribed.Oct 16 2015, 4:52 PM
xSavitar added a comment.Oct 16 2015, 4:56 PM

From my point of understand, does it mean that wiki password before(earlier versions) could take varying length of password but now the minimum length is 8 chars. So if someones password was say less than 8 chars (<8 chars) if he/she wants to login to the new release (1.26) he/she will be asked to reset the password?

If my understanding of this task is true, then i will like to work on this task :)

xSavitar added a comment.Oct 16 2015, 5:05 PM

The only problem that i am having is that i need to know where the installer instance in Wiki is so i can access the codes. :)

xSavitar claimed this task.Oct 16 2015, 5:15 PM
Umherirrender added subscribers: Umherirrender, csteipp, Anomie.EditedOct 16 2015, 6:12 PM

User::checkPasswordValidity is called in the WebInstallerPage.php, but at that time the user group is not set, because setting the user group needs a database, which is not created yet. Therefore the password policy for sysop user group cannot be checked at this point.

Umherirrender added a comment.Oct 16 2015, 6:17 PM

See also T104092

xSavitar added a comment.Oct 16 2015, 7:42 PM

I don't understand clearly what this task is to do. I can see that some policies are set to 8 for MinimulPasswordLength so i am kind of confused which of them should be used. I know that the check is done when the submit() function is called in WebInstallerPage.php. So i don't know which policy is check and also the check of the password length.

Dzahn added a subtask: T94774: Password policies by group.Oct 16 2015, 9:34 PM
xSavitar removed xSavitar as the assignee of this task.Oct 16 2015, 10:03 PM
gerritbot subscribed.Oct 29 2015, 12:24 PM

Change 249722 had a related patch set uploaded (by TTO):
Installer: Validate password against sysop/bureaucrat policies

https://gerrit.wikimedia.org/r/249722

gerritbot added a project: Patch-For-Review.Oct 29 2015, 12:24 PM
TTO subscribed.Oct 29 2015, 12:33 PM

This was fixed by @csteipp in rMW66147c798aaf: Check install user's password as sysop/bureaucrat, then effectively reverted, for slightly unclear reasons, in rMW6a69a4eb733b: Add "purpose" to password validity check. That latter patch was in response to T104615, which didn't seem to have anything to do with the installer, so I'm a bit puzzled.

demon triaged this task as High priority.Nov 2 2015, 7:27 PM
demon moved this task from Backlog to To be backported on the MW-1.26-release board.
gerritbot added a comment.Nov 2 2015, 7:35 PM

Change 249722 merged by jenkins-bot:
Installer: Validate password against sysop/bureaucrat policies

https://gerrit.wikimedia.org/r/249722

gerritbot added a comment.Nov 2 2015, 7:54 PM

Change 250488 had a related patch set uploaded (by Chad):
Installer: Validate password against sysop/bureaucrat policies

https://gerrit.wikimedia.org/r/250488

ReleaseTaggerBot added projects: MW-1.27-release (WMF-deploy-2015-11-03_(1.27.0-wmf.5)), MW-1.27-release-notes.Nov 2 2015, 8:00 PM
gerritbot added a comment.Nov 2 2015, 8:23 PM

Change 250488 merged by jenkins-bot:
Installer: Validate password against sysop/bureaucrat policies

https://gerrit.wikimedia.org/r/250488

demon closed this task as Resolved.Nov 2 2015, 8:36 PM
demon claimed this task.
demon moved this task from To be backported to Done on the MW-1.26-release board.
greg added a project: Essential-Work.Jan 13 2016, 8:37 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits