183898 - checksetup.pl doesn't accepts admin passwords with dots

Status: RESOLVED FIXED

(Bugzilla :: Installation & Upgrading, defect)

Description

[Oliver Fischer]

User-Agent:       Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021125
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021125

While setting up a Bugzilla 2.16.1 on FreeBSD with perl 5.6.1 I recognoized,
that checksetup.pl doesn't like passwords for the admin, which contains a dot.

Reproducible: Always

Steps to Reproduce:


Actual Results:  
Entering a passwort with a dot inside causes checksetup.pl to ask again for the
password.

Expected Results:  
Accepting the password.

Comment 1

[Jonathan Schatz]

i can confirm this on a redhat 8.0 machine (perl-5.8.0) with HEAD from cvs.

Comment 2

[Dave Miller [:justdave]]

Looks like it's not accepting anything weird in the password...

      while( $pass1 eq "" || $pass1 !~ /^[a-zA-Z0-9-_]{3,16}$/ ) {

That's probably not real secure.  Should accept more valid characters for the
password (i.e. anything printable) or at a minimum give a better error message
that describes the legal characters for a password...

confirming...

Comment 3

[Bradley Baetz (:bbaetz)]

ValidatePassword in gobals.pl only checks for length, so I don't see why
checksetup is any different. The only thing I can think of is trying to avoid
control characters or something. Isn't there a perl metachar we can use for
'printable characters'?

Comment 4

[Vlad Dascalu]

Attachment: Excludes only non-printable chars from the admin password.

Yes, we can use [:print:] in regexps in order to match printable chars and in
this way to:

- avoid control chars (like backspace on a bad terminal).
- eliminate the restriction and make the password policy the same in every
place.

Comment 5

[Vlad Dascalu]

<-- me

Comment 6

[Christian Reis]

Not that it's part of this bug, but how about swapping "stupid" for "silly" up
there? I would rather we didn't insult our potential users :-)

Comment 7

[Christian Reis]

Comment on attachment 127943 [details] [diff] [review]
Excludes only non-printable chars from the admin password.

r=kiko, neat. assuming you' ve tested (again, no tree!)  it it's ready for
approval

Comment 8

[Vlad Dascalu]

I was also thinking that:

"It's just plain stupid to not have a password.  Try again!"

is kinda insulting. Should I change that to:

"It's just plain silly to not have a password.  Try again!"

or does:

"An empty password represents a security risk! Please try again."

sound better?

Comment 9

[Vlad Dascalu]

Attachment: Excludes only non-printable chars from the admin password. Also replaces the potential offensive text with a more nice one.

Here's the new version.

Comment 10

[Christian Reis]

Comment on attachment 127951 [details] [diff] [review]
Excludes only non-printable chars from the admin password. Also replaces the potential offensive text with a more nice one.

nice!

Comment 11

[Vlad Dascalu]

Attachment: Fixing small spacing problem and carying over r+.

Comment 12

[Vlad Dascalu]

Attachment: Same as the previous one, but updated because the previous one was not applying cleanly anymore to the CVS tip due to a recent commit to checksetup.pl.

Re-diff due to a recent CVS commit that caused the patch to give errors when
applying.

Comment 13

[Vlad Dascalu]

Comment on attachment 128005 [details] [diff] [review]
Same as the previous one, but updated because the previous one was not applying cleanly anymore to the CVS tip due to a recent commit to checksetup.pl.

Carrying over review+.

Comment 14

[J. Paul Reed [:preed]]

Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v  <--  checksetup.pl
new revision: 1.238; previous revision: 1.237
done

Comment 15

[Vlad Dascalu]

Marking as fixed.