CVE-2023-0793: fix: added missing check on password length · thorsten/phpMyFAQ@00c0409

@@ -120,6 +120,7 @@ $userName = Filter::filterVar($postData[‘userName’], FILTER_UNSAFE_RAW); $userRealName = Filter::filterVar($postData[‘realName’], FILTER_UNSAFE_RAW); $userEmail = Filter::filterVar($postData[‘email’], FILTER_VALIDATE_EMAIL); $automaticPassword = Filter::filterVar($postData[‘automaticPassword’], FILTER_VALIDATE_BOOLEAN); $userPassword = Filter::filterVar($postData[‘password’], FILTER_UNSAFE_RAW); $userPasswordConfirm = Filter::filterVar($postData[‘passwordConfirm’], FILTER_UNSAFE_RAW); $userIsSuperAdmin = Filter::filterVar($postData[‘isSuperAdmin’], FILTER_VALIDATE_BOOLEAN); @@ -138,6 +139,12 @@ if (is_null($userEmail)) { $errorMessage[] = $PMF_LANG[‘ad_user_error_noEmail’]; } if (!$automaticPassword) { if (strlen($userPassword) <= 7 || strlen($userPasswordConfirm) <= 7) { $errorMessage[] = $PMF_LANG[‘ad_passwd_fail’]; } }
if (count($errorMessage) === 0) { if (!$newUser->createUser($userName, $userPassword)) { $errorMessage[] = $newUser->error(); @@ -204,6 +211,12 @@ exit(1); }
if (strlen($newPassword) <= 7 || strlen($retypedPassword) <= 7) { $http->setStatus(400); $http->sendJsonWithHeaders([‘error’ => $PMF_LANG[‘ad_passwd_fail’]]); exit(1); }
$user->getUserById($userId, true); $auth = new Auth($faqConfig); $authSource = $auth->selectAuth($user->getAuthSource(‘name’));