fixing password policy issue with levensthein

2015-08-03 15:55:05 +02:00 · 2015-08-03 15:55:05 +02:00 · 179f4dd580
parent a0575e0481
commit 179f4dd580
4 changed files with 13 additions and 11 deletions
--- a/bureau/class/m_admin.php
+++ b/bureau/class/m_admin.php
@ -1465,18 +1465,14 @@ EOF;

        if (!$pol["allowlogin"]) {
            // We do misc check on password versus login : 
-            $logins = explode("@", $login);
+            $logins = preg_split("/[@_-]/", $login);
            $logins[] = $login;
            foreach ($logins as $l) {
+	      if (!$l) continue;
 	      if (strpos($password, $l) !== false || strpos($l,$password) !== false) {
                    $err->raise("admin", _("The password policy prevents you to use your login name inside your password or the other way around"));
                    return false;
                }
-	      // Now check that levenshten distance between your login parts and your password is below 40% : 
-	      if ( intval(levenshtein($password, $l)/strlen($password)*1000) > 400 ) {
-                    $err->raise("admin", _("The password policy prevents you to use something too similar from your login name inside your password"));
-                    return false;
-	      }
            }
        }
 	
--- a/bureau/class/m_ftp.php
+++ b/bureau/class/m_ftp.php
@ -297,7 +297,7 @@ class m_ftp {

      // Check this password against the password policy using common API : 
      if (is_callable(array($admin,"checkPolicy"))) {
-        if (!$admin->checkPolicy("ftp",$prefixe.$login,$pass)) {
+        if (!$admin->checkPolicy("ftp",$full_login,$pass)) {
          return false; // The error has been raised by checkPolicy()
        }
      }
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
+alternc (3.1.8) oldoldstable; urgency=low
+
+  * fix non-working levensthein call for checkPolicy, fixed using preg_split instead
+
+ -- Benjamin Sonntag <benjamin@sonntag.fr>  Mon,  3 Aug 2015 15:53:16 +0200
+
 alternc (3.1.7) oldoldstable; urgency=low

  * fix added autocomplete="off" to password fields (not login form)
--- a/wheezy/changelog.diff
+++ b/wheezy/changelog.diff
@ -1,13 +1,13 @@
 --- changelog	2014-06-24 13:42:50.234304438 +0200
 +++ changelog.wheezy	2014-06-24 13:43:51.978313552 +0200
@@ -1,3 +1,10 @@
-+alternc (3.2.7) oldstable; urgency=low
+alternc (3.2.8) oldstable; urgency=low
 +
 +  * Version identical to 3.1 for Squeeze
 +  * Includes a small dovecot patch / dependency for dovecot 2.0 for Wheezy
 +
-+ -- Benjamin Sonntag <benjamin@sonntag.fr>  Thu, 16 Jun 2015 18:19:00 +0100
+ -- Benjamin Sonntag <benjamin@sonntag.fr>  Mon,  3 Aug 2015 15:54:12 +0200
 +
- alternc (3.1.7) oldoldstable; urgency=low
+ alternc (3.1.8) oldoldstable; urgency=low
 
-  * fix added autocomplete="off" to password fields (not login form)
+   * fix non-working levensthein call for checkPolicy, fixed using preg_split instead