backport bug 1009013 to bmo (Require a user to change their password if they log in and their current password does not meet the password complexity rules)

RESOLVED FIXED

Status

()

bugzilla.mozilla.org
General
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: Rob Russell, Assigned: glob)

Tracking

Production

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Build ID: 20150320201757

Steps to reproduce:

On logging in to Bugzilla at https://bugzilla.mozilla.org/index.cgi?GoAheadAndLogIn=1 for the first time in years. . . .

I received this message: 
Your password is currently less than 8 characters long, which is the new minimum length required for passwords. You must request a new password in order to log in again.



Actual results:

Okay, fair, so I clicked on “request a new password,” which gave me:

It looks like you didn't come from the right page. One reason could be that you entered the URL in the address bar of your web browser directly, which should be safe. Another reason could be that you clicked on a URL which redirected you here without your consent.
Are you sure you want to commit these changes?



Expected results:

Bugzilla should trust bugzilla.
(Reporter)

Comment 1

3 years ago
Bug introduced with fix to previous bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1009013

Comment 2

3 years ago
Not reproducible upstream. But bmo backported this feature, so they probably missed some other related fixes.
Assignee: user-accounts → nobody
Component: User Accounts → General
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: 5.0 → Production
(Assignee)

Comment 3

3 years ago
actually bmo isn't carrying the changes from bug 1009013, but we have backported csrf token fixes which is likely the cause of this issue.

backporting bug 1009013 should fix this as it adds the missing token to the link in the error.
Assignee: nobody → glob
(Assignee)

Comment 4

3 years ago
this was a trivial straight backport.

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   48c23b1..d4a53a6  master -> master
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Assignee)

Updated

3 years ago
Summary: Minimum password length handler not trusted by password change → backport bug 1009013 to bmo (Require a user to change their password if they log in and their current password does not meet the password complexity rules)
You need to log in before you can comment on or make changes to this bug.