RT#29354: Password Security in Email [v3 merge]

2 files changed, 24 insertions, 0 deletions

diff --git a/FS/FS/Password_Mixin.pm b/FS/FS/Password_Mixin.pm
index 327eda86c..eb1db81e8 100644
--- a/FS/FS/Password_Mixin.pm
+++ b/FS/FS/Password_Mixin.pm
@@ -69,6 +69,29 @@ sub is_password_allowed {
 
   return '' unless $self->get($self->primary_key); # for validating new passwords pre-insert
 
+  #check against customer fields
+  my $cust_main = $self->cust_main;
+  if ($cust_main) {
+    my @words;
+    # words from cust_main
+    foreach my $field ( qw( last first daytime night fax mobile ) ) {
+        push @words, split(/\W/,$cust_main->get($field));
+    }
+    # words from cust_location
+    foreach my $loc ($cust_main->cust_location) {
+      foreach my $field ( qw(address1 address2 city county state zip) ) {
+        push @words, split(/\W/,$loc->get($field));
+      }
+    }
+    # do the actual checking
+    foreach my $word (@words) {
+      next unless length($word) > 2;
+      if ($password =~ /$word/i) {
+        return qq(Password contains account information '$word');
+      }
+    }
+  }
+
   if ( $conf->config('password-no_reuse') =~ /^(\d+)$/ ) {
 
     my $no_reuse = $1;
diff --git a/FS/FS/svc_acct.pm b/FS/FS/svc_acct.pm
index e963c8082..203150f7c 100644
--- a/FS/FS/svc_acct.pm
+++ b/FS/FS/svc_acct.pm
@@ -2785,6 +2785,7 @@ sub password_svc_check {
   my ($self, $password) = @_;
   foreach my $field ( qw(username finger) ) {
     foreach my $word (split(/\W+/,$self->get($field))) {
+      next unless length($word) > 2;
       if ($password =~ /$word/i) {
         return qq(Password contains account information '$word');
       }