diff options
| author | Jonathan Prykop <jonathan@freeside.biz> | 2015-12-07 17:46:45 -0600 |
|---|---|---|
| committer | Jonathan Prykop <jonathan@freeside.biz> | 2015-12-07 17:46:45 -0600 |
| commit | 4b147e668c23fd3011885ed94d84f4f3bb27c71f (patch) | |
| tree | 533726c41c3f184e7cd4b24c5c6b7112df3f215c /FS | |
| parent | 7c08f01e1a05fe4bab903bd44277b5c3784aebc5 (diff) | |
RT#29354: Password Security in Email [customer fields, images, js files]
Diffstat (limited to 'FS')
| -rw-r--r-- | FS/FS/Password_Mixin.pm | 34 | ||||
| -rw-r--r-- | FS/FS/svc_acct.pm | 1 |
2 files changed, 35 insertions, 0 deletions
diff --git a/FS/FS/Password_Mixin.pm b/FS/FS/Password_Mixin.pm index 3129366c7..834fd6fc3 100644 --- a/FS/FS/Password_Mixin.pm +++ b/FS/FS/Password_Mixin.pm @@ -67,6 +67,40 @@ sub is_password_allowed { return '' unless $self->get($self->primary_key); # for validating new passwords pre-insert + #check against customer fields + my $cust_main = $self->cust_main; + if ($cust_main) { + my @words; + # words from cust_main + foreach my $field ( qw( last first daytime night fax mobile ) ) { + push @words, split(/\W/,$cust_main->get($field)); + } + # words from cust_location + foreach my $loc ($cust_main->cust_location) { + foreach my $field ( qw(address1 address2 city county state zip) ) { + push @words, split(/\W/,$loc->get($field)); + } + } + # words from cust_contact & contact_phone + foreach my $contact (map { $_->contact } $cust_main->cust_contact) { + foreach my $field ( qw(last first) ) { + push @words, split(/\W/,$contact->get($field)); + } + # not hugely useful right now, hyphenless stored values longer than password max, + # but max will probably be increased eventually... + foreach my $phone ( qsearch('contact_phone', {'contactnum' => $contact->contactnum}) ) { + push @words, split(/\W/,$phone->get('phonenum')); + } + } + # do the actual checking + foreach my $word (@words) { + next unless length($word) > 2; + if ($password =~ /$word/i) { + return qq(Password contains account information '$word'); + } + } + } + my $no_reuse = 3; # allow override here if we really must diff --git a/FS/FS/svc_acct.pm b/FS/FS/svc_acct.pm index 38cebc1de..53b12f181 100644 --- a/FS/FS/svc_acct.pm +++ b/FS/FS/svc_acct.pm @@ -2686,6 +2686,7 @@ sub password_svc_check { my ($self, $password) = @_; foreach my $field ( qw(username finger) ) { foreach my $word (split(/\W+/,$self->get($field))) { + next unless length($word) > 2; if ($password =~ /$word/i) { return qq(Password contains account information '$word'); } |