Improve Mantis password security

On August 1, 2014, in Mantis, by terencejackson

Hi,

it’s me again. It’s been a long time since I developed something which mostly has to do with a new job I started around a year ago. Nevertheless I have to deal with Mantis in this new job and I really like Mantis. But unfortunately the password security is not very sophisticated in the current version 1.2.17. You can enter simple passwords like 1 or 2, … which are not really secure passwords 😉
To improve the password security you can download and apply the patches which I developed to solve this problem. The zip files contains two patches, and you need to apply both to make it work.

The following changes have been performed to make the password more secure:
The following lines have been added to file config_defaults_inc.php (Here you can overwrite the values if you want e.g. a longer password):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
/**
* Configuration for the password security.
* If NUMBER_REQUIRED = true at least one number is required
* IF UPPERCASE_REQUIRED = true at least one uppercase character is required
* IF LOWERCASE_REQUIRED = true at least one lowercase character is required
* MIN_CHARACTERS defines the minumum characters
* @global mixed $g_password_security
*/
$g_password_security = array (
  "NUMBER_REQUIRED" => true,
  "UPPERCASE_REQUIRED" => true,
  "LOWERCASE_REQUIRED" => true,
  "MIN_CHARACTERS" => 8
);
/**
* Configuration for the password security.
* If NUMBER_REQUIRED = true at least one number is required
* IF UPPERCASE_REQUIRED = true at least one uppercase character is required
* IF LOWERCASE_REQUIRED = true at least one lowercase character is required
* MIN_CHARACTERS defines the minumum characters
* @global mixed $g_password_security
*/
$g_password_security = array (
  "NUMBER_REQUIRED" => true,
  "UPPERCASE_REQUIRED" => true,
  "LOWERCASE_REQUIRED" => true,
  "MIN_CHARACTERS" => 8
);

The if statement starting in line 111 in account_update.php has been replaced by the following statement:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
// Update password if the two match and are not empty
if (! is_blank ( $f_password )) {
  if ($f_password != $f_password_confirm) {
    trigger_error ( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR );
  } else {
    $f_password_security = config_get ( 'password_security' );
    $f_uppercase = $f_password_security ["UPPERCASE_REQUIRED"] ? preg_match ( '/[A-Z]/', $f_password ) : 1;
    $f_lowercase = $f_password_security ["LOWERCASE_REQUIRED"] ? preg_match ( '/[a-z]/', $f_password ) : 1;
    $f_number = $f_password_security ["NUMBER_REQUIRED"] ? preg_match ( '/[0-9]/', $f_password ) : 1;
    $f_length = $f_password_security ["MIN_CHARACTERS"];
 
    if (! $f_uppercase || ! $f_lowercase || ! $f_number || strlen ( $f_password ) < $f_length) {
      trigger_error ( ERROR_USER_CREATE_PASSWORD_PATTERN_NO_MATCH, ERROR );
    } else if (! auth_does_password_match ( $t_user_id, $f_password )) {
      user_set_password ( $t_user_id, $f_password );
      $t_password_updated = true;
    }
  }
}
// Update password if the two match and are not empty
if (! is_blank ( $f_password )) {
  if ($f_password != $f_password_confirm) {
    trigger_error ( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR );
  } else {
    $f_password_security = config_get ( 'password_security' );
    $f_uppercase = $f_password_security ["UPPERCASE_REQUIRED"] ? preg_match ( '/[A-Z]/', $f_password ) : 1;
    $f_lowercase = $f_password_security ["LOWERCASE_REQUIRED"] ? preg_match ( '/[a-z]/', $f_password ) : 1;
    $f_number = $f_password_security ["NUMBER_REQUIRED"] ? preg_match ( '/[0-9]/', $f_password ) : 1;
    $f_length = $f_password_security ["MIN_CHARACTERS"];

    if (! $f_uppercase || ! $f_lowercase || ! $f_number || strlen ( $f_password ) < $f_length) {
      trigger_error ( ERROR_USER_CREATE_PASSWORD_PATTERN_NO_MATCH, ERROR );
    } else if (! auth_does_password_match ( $t_user_id, $f_password )) {
      user_set_password ( $t_user_id, $f_password );
      $t_password_updated = true;
    }
  }
}

An additional string has been added in strings_english.txt:

1
$MANTIS_ERROR[ERROR_USER_CREATE_PASSWORD_PATTERN_NO_MATCH] = 'Please enter a valid password!';
$MANTIS_ERROR[ERROR_USER_CREATE_PASSWORD_PATTERN_NO_MATCH] = 'Please enter a valid password!';

I hope you enjoy this enhancement!

Tagged with:  

Leave a Reply

Your email address will not be published. Required fields are marked *