Page MenuHomePhabricator

install.php seems to allow setting an invalid password
Closed, ResolvedPublic

Description

I used install.php with --pass to set a short temporary password. After installation I could not log in, maybe because it was too short and thus invalid.


Version: 1.22.0
Severity: normal

Details

Reference
bz54718

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 2:22 AM
bzimport set Reference to bz54718.
bzimport added a subscriber: Unknown Object (MLST).

[[mw:Manual:$wgMinimalPasswordLength]] is supposed to be 1.

mails2vichu wrote:

I would like to work on this.Can you please assign this bug to me.

mails2vichu wrote:

I cant find a line like that mentioned above in the file install.php

mails2vichu wrote:

Does Changing as per the instructions in User.php file can fix this bug?

Vishnu Nk: It could be helpful if you mentioned if you have successfully reproduced the problem, and to describe how a fix would look like.

mails2vichu wrote:

Sir as per mentioned above "$wgMinimalPasswordLength" was only found in the User.php file in the includes directory.
and there is a case at line number 4688 where the it has been assigned to 0.Is that the problem mentioned?

(In reply to comment #6)

line number 4688 where the it has been assigned to

It's line 4689 in git master: https://git.wikimedia.org/blob/mediawiki%2Fcore.git/HEAD/includes%2FUser.php#L4688

0.Is

I read this as "0.Is" initially - please avoid [[Klempen]].

Is that the problem mentioned?

Not sure if I understand your question, but I guess you want to use "git log" (or "blame") to investigate why == 0 was set and investigate yourself if this has something to do with this problem and test yourself a bit. :)

It is set to 1 by default. This applied by default (so afaik it should be affecting the installer as well).

includes/DefaultSettings.php
3949: $wgMinimalPasswordLength = 1;

includes/specials/SpecialUserlogin.php
336: $wgMinimalPasswordLength, $wgEmailConfirmToEdit;
425: $valid = array( $valid, $wgMinimalPasswordLength );

includes/User.php
704: global $wgMinimalPasswordLength, ..;
718: if ( strlen( $password ) < $wgMinimalPasswordLength ) {
853: $length = max( 10, $wgMinimalPasswordLength );
...

It doesn't seem to be overridden or assigned anywhere else.

What exactly is the problem? I can't find any reason why the $user->setPassword call in Installer.php would be any different from others. It triggers the same validation, same settings, and throws the same exception in case of a too short or otherwise invalid value.

Umherirrender edited subscribers, added: Umherirrender; removed: wikibugs-l-list.

Looks fixed, when running install.php with --pass=core getting:

Invalid wiki admin password:
* Passwords must be at least 10 characters.
* The password entered is in a list of very commonly used passwords. Please choose a more unique password.