diff -Naur bugs-old/account_update.php bugs/account_update.php --- bugs-old/account_update.php 2009-04-09 22:16:33.000000000 -0500 +++ bugs/account_update.php 2009-04-09 22:49:14.000000000 -0500 @@ -85,8 +85,29 @@ trigger_error( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR ); } else { if ( !auth_does_password_match( $t_user_id, $f_password ) ) { - user_set_password( $t_user_id, $f_password ); - $t_password_updated = true; + $t_password_minimum = config_get( 'password_minimum' ); + if (strlen($f_password) < $t_password_minimum) { + error_parameters( $t_password_minimum ); + trigger_error( ERROR_USER_PASSWORD_TOO_SHORT, ERROR); + } else { + if (auth_is_password_complex($f_password)) { + user_set_password( $t_user_id, $f_password ); + $t_password_updated = true; + } else { + $t_password_complexity = config_get( 'password_complexity' ); + switch ( $t_password_complexity ) { + case 1: + trigger_error( ERROR_USER_PASSWORD_NOT_COMPLEX_1, ERROR ); + break; + case 2: + trigger_error( ERROR_USER_PASSWORD_NOT_COMPLEX_2, ERROR ); + break; + case 3: + trigger_error( ERROR_USER_PASSWORD_NOT_COMPLEX_3, ERROR ); + break; + } + } + } } } } diff -Naur bugs-old/config_defaults_inc.php bugs/config_defaults_inc.php --- bugs-old/config_defaults_inc.php 2009-04-09 22:15:40.000000000 -0500 +++ bugs/config_defaults_inc.php 2009-04-09 23:25:43.000000000 -0500 @@ -182,6 +182,16 @@ # Set to OFF to disable this control $g_max_failed_login_count = OFF; + # Password Complexity + # OFF = Disabled + # 1 = Requires a mix of upper and lower case + # 2 = Also requires at least 1 Number + # 3 = Also requires a special character + $g_password_complexity = OFF; + + # Minimum Password Length + $g_password_minimum = 3; + # access level required to be notified when a new user has been created using the "signup form" $g_notify_new_user_created_threshold_min = ADMINISTRATOR; diff -Naur bugs-old/core/authentication_api.php bugs/core/authentication_api.php --- bugs-old/core/authentication_api.php 2009-04-09 22:16:10.000000000 -0500 +++ bugs/core/authentication_api.php 2009-04-09 22:26:41.000000000 -0500 @@ -297,6 +297,28 @@ return $t_confirm_hash; } + # -------------------- + # Determines whether the password meets complexity requirements + function auth_is_password_complex( $f_password ) { + $t_password_complexity = config_get( 'password_complexity' ); + if ($t_password_complexity == 'OFF') return true; + + # Check for upper case letters + if (strtolower($f_password) == $f_password) return false; + + # Check for lower case letters + if (strtoupper($f_password) == $f_password) return false; + + # Check for numbers + if ($t_password_complexity > 1 && str_replace(array('0', '1', '2', '3', '4', '5', '6', '7', '8', '9'), '', $f_password) == $f_password) return false; + + # Check for special characters + if ($t_password_complexity > 2 && str_replace(array('!', '@', '#', '$', '%', '^', '^', '&', '*', '(', ')', '-', '_', '+', '=', '{', '}', '[', ']', ':', ';', ',', '.', '?', '~', '|', '\\', '/'), '', $f_password) == $f_password) return false; + + # Everything checks out + return true; + } + #=================================== # Cookie functions #=================================== diff -Naur bugs-old/core/constant_inc.php bugs/core/constant_inc.php --- bugs-old/core/constant_inc.php 2009-04-09 22:48:52.000000000 -0500 +++ bugs/core/constant_inc.php 2009-04-09 22:48:32.000000000 -0500 @@ -245,6 +245,8 @@ define( 'ERROR_USER_REAL_MATCH_USER', 807 ); define( 'ERROR_USER_CHANGE_LAST_ADMIN', 808 ); define( 'ERROR_USER_REAL_NAME_INVALID', 809 ); + define( 'ERROR_USER_PASSWORD_NOT_COMPLEX', 810 ); + define( 'ERROR_USER_PASSWORD_TOO_SHORT', 811 ); # ERROR_AUTH_* define( 'ERROR_AUTH_INVALID_COOKIE', 900 ); diff -Naur bugs-old/lang/strings_english.txt bugs/lang/strings_english.txt --- bugs-old/lang/strings_english.txt 2009-04-09 22:15:17.000000000 -0500 +++ bugs/lang/strings_english.txt 2009-04-09 22:46:03.000000000 -0500 @@ -267,6 +267,10 @@ $MANTIS_ERROR[ERROR_VERSION_NOT_FOUND] = 'Version "%s" not found.'; $MANTIS_ERROR[ERROR_USER_NAME_INVALID] = 'The username is invalid. Usernames may only contain Latin letters, numbers, spaces, hyphens, and underscores.'; $MANTIS_ERROR[ERROR_USER_REAL_NAME_INVALID] = 'The user real name is invalid.'; +$MANTIS_ERROR[ERROR_USER_PASSWORD_TOO_SHORT] = 'Your Password must be a minimum of %d characters.'; +$MANTIS_ERROR[ERROR_USER_PASSWORD_NOT_COMPLEX_1] = 'Your Password does not meet complexity requirements. It should use a combination of upper and lower case letters.'; +$MANTIS_ERROR[ERROR_USER_PASSWORD_NOT_COMPLEX_2] = 'Your Password does not meet complexity requirements. It should use a combination of upper and lower case letters and numbers.'; +$MANTIS_ERROR[ERROR_USER_PASSWORD_NOT_COMPLEX_3] = 'Your Password does not meet complexity requirements. It should use a combination of upper and lower case letters, numbers, and special characters.'; $MANTIS_ERROR[ERROR_USER_DOES_NOT_HAVE_REQ_ACCESS] = 'User does not have required access level.'; $MANTIS_ERROR[ERROR_USER_REAL_MATCH_USER] = 'The "Real Name" chosen matches another user\'s login name. Please choose another.'; $MANTIS_ERROR[ERROR_SPONSORSHIP_NOT_ENABLED] = 'Sponsorship support not enabled.';