Piwigo Bugtracker

Piwigo bug tracker has moved to Github

This bugtracker is kept to provide history on old issues.


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003090Piwigoauthenticationpublic2014.06.16 01:462014.09.01 20:35
Reportereffigies 
Assigned Toflop25 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSDebian LinuxOS VersionWheezy
Product Version2.6.2 
Target VersionFixed in Version2.7.0RC1 
Summary0003090: Passwords >24 characters fail to login
DescriptionOn password creation, the full password is accepted and the hash is stored. During login, only the first 24 characters are hashed, causing a login failure if the password exceeds 24 characters.
Steps To Reproduce1) Change password to a 25 character sequence such as "aaaaaaaaaaaaaaaaaaaaaaaaa"
2) Log out
3) Attempt to log in
Additional InformationI'm looking into where this cutoff is introduced. I'll post a patch if I find it. It should be a relatively small fix: either truncate the password at creation time and add a notice that this happens, drastically increase the limit or remove the limit altogether.

The first is the easiest, but the latter seems best. Hashing is a fast operation, and truly large sequences are going to be more limited by bandwidth, and eventually the HTTP server's POST size limit than CPU.
TagsNo tags attached.
browserany
Database engine and versionMySQL 5.5.37
PHP version5.4.4
Web servernginx/1.2.1
Attached Files

- Relationships

-  Notes
(0007479)
effigies (reporter)
2014.06.16 02:36

Okay, I've tracked it down. It's not in the logic at all but hardcoded in template/identification.tpl for various themes:

<input tabindex="2" class="login" type="password" name="password" id="password" size="25" maxlength="25">

This is not consistently applied across all of the password fields, so the simplest solution is merely to remove maxlength whenever it appears in an <input type="password"> tag. A more difficult solution could be to place a config option that validates password length when handling passwords and is passed to templates to enforce in HTML.
(0007534)
svn (reporter)
2014.08.10 17:55

[Subversion] r29194 by flop25 on trunk

-----[Subversion commit log]----------------------------------------------------
bug:3090
don't restrict the maxlength of the password
(0007535)
svn (reporter)
2014.08.10 18:06

[Subversion] r29195 by flop25 on trunk

-----[Subversion commit log]----------------------------------------------------
bug:3090
don't restrict the maxlength of the password
(0007536)
svn (reporter)
2014.08.10 18:08

[Subversion] r29196 by flop25 on extension stripped

-----[Subversion commit log]----------------------------------------------------
bug:3090
don't restrict the maxlength of the password
And correct isset check
(0007537)
flop25 (developer)
2014.08.10 18:11

and Stripped corrected too
(0007599)
svn (reporter)
2014.09.01 09:38

[Subversion] r29348 by plg on extension simple_themes

-----[Subversion commit log]----------------------------------------------------
bug 3129: remove maxlength for login

bug 3090: remove maxlength for password
(0007603)
svn (reporter)
2014.09.01 20:35

[Subversion] r29376 by flop25 on extension stripped

-----[Subversion commit log]----------------------------------------------------
bug:3090
don't restrict the maxlength of the login

- Issue History
Date Modified Username Field Change
2014.06.16 01:46 effigies New Issue
2014.06.16 01:46 effigies browser => any
2014.06.16 01:46 effigies Database engine and version => MySQL 5.5.37
2014.06.16 01:46 effigies PHP version => 5.4.4
2014.06.16 01:46 effigies Web server => nginx/1.2.1
2014.06.16 02:36 effigies Note Added: 0007479
2014.08.10 17:55 svn Checkin
2014.08.10 17:55 svn Note Added: 0007534
2014.08.10 18:06 svn Checkin
2014.08.10 18:06 svn Note Added: 0007535
2014.08.10 18:08 svn Checkin
2014.08.10 18:08 svn Note Added: 0007536
2014.08.10 18:11 flop25 Status new => assigned
2014.08.10 18:11 flop25 Assigned To => flop25
2014.08.10 18:11 flop25 Note Added: 0007537
2014.08.10 18:11 flop25 Status assigned => closed
2014.08.10 18:11 flop25 Resolution open => fixed
2014.08.10 18:11 flop25 Fixed in Version => 2.7.0beta3
2014.09.01 09:38 svn Checkin
2014.09.01 09:38 svn Note Added: 0007599
2014.09.01 20:35 svn Checkin
2014.09.01 20:35 svn Note Added: 0007603


Copyright © 2000 - 2019 MantisBT Team
Contact
Powered by Mantis Bugtracker