From: Mark Wells <mark@freeside.biz>
Date: Wed, 23 Mar 2016 20:35:54 +0000 (-0700)
Subject: switch to a hard list of allowed password characters, #40792
X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=commitdiff_plain;h=b57faabe2aab0d5272101c16385ddb252efa697d

switch to a hard list of allowed password characters, #40792
---

diff --git a/FS/FS/Conf.pm b/FS/FS/Conf.pm
index a8ececd02..e88ee6840 100644
--- a/FS/FS/Conf.pm
+++ b/FS/FS/Conf.pm
@@ -4052,14 +4052,16 @@ and customer address. Include units.',
     'select_enum' => [ '1 hour', '2 hours', '4 hours', '8 hours', '1 day', '1 week', ],
   },
 
-  {
-    'key'         => 'password-generated-characters',
-    'section'     => 'password',
-    'description' => 'Set of characters to use when generating random passwords. This must contain at least one lowercase letter, uppercase letter, digit, and punctuation mark.',
-    'type'        => 'textarea',
-  },
+  # 3.x-only options for a more tolerant password policy
 
 #  {
+#    'key'         => 'password-generated-characters',
+#    'section'     => 'password',
+#    'description' => 'Set of characters to use when generating random passwords. This must contain at least one lowercase letter, uppercase letter, digit, and punctuation mark.',
+#    'type'        => 'textarea',
+#  },
+#
+#  {
 #    'key'         => 'password-no_reuse',
 #    'section'     => 'password',
 #    'description' => 'Minimum number of password changes before a password can be reused. By default, passwords can be reused without restriction.',
diff --git a/FS/FS/Password_Mixin.pm b/FS/FS/Password_Mixin.pm
index da80cd27f..27da57f28 100644
--- a/FS/FS/Password_Mixin.pm
+++ b/FS/FS/Password_Mixin.pm
@@ -14,8 +14,6 @@ FS::UID->install_callback( sub {
   $conf = FS::Conf->new;
 });
 
-our @pw_set;
-
 our $me = '[' . __PACKAGE__ . ']';
 
 our $BLOWFISH_COST = 10;
@@ -262,27 +260,19 @@ sub _blowfishcrypt {
 
 =item pw_set
 
-Returns the list of characters allowed in random passwords (from the
-C<password-generated-characters> config).
+Returns the list of characters allowed in random passwords. This is now
+hardcoded.
 
 =cut
 
 sub pw_set {
-  my $class = shift;
-  if (!@pw_set) {
-    my $pw_set = $conf->config('password-generated-characters');
-    $pw_set =~ s/\s//g; # don't ever allow whitespace
-    if ( $pw_set =~ /[[:lower:]]/
-      && $pw_set =~ /[[:upper:]]/
-      && $pw_set =~ /[[:digit:]]/
-      && $pw_set =~ /[[:punct:]]/ ) {
-      @pw_set = split('', $pw_set);
-    } else {
-      warn "password-generated-characters set is insufficient; using default.";
-      @pw_set = split('', 'abcdefghijkmnpqrstuvwxyzABCDEFGHIJKLMNPQRSTUVWXYZ23456789()#.,');
-    }
-  }
-  return @pw_set;
+
+  # ASCII alphabet, minus easily confused stuff (l, o, O, 0, 1)
+  # and plus some "safe" punctuation
+  split('',
+    'abcdefghijkmnpqrstuvwxyzABCDEFGHIJKLMNPQRSTUVWXYZ23456789()#.,[]-_=+'
+  );
+
 }
 
 =back
diff --git a/FS/FS/Upgrade.pm b/FS/FS/Upgrade.pm
index bfb218f33..2a480f872 100644
--- a/FS/FS/Upgrade.pm
+++ b/FS/FS/Upgrade.pm
@@ -165,12 +165,6 @@ If you need to continue using the old Form 477 report, turn on the
     $conf->delete('voip-cust_email_csv_cdr') ;
   }
 
-  if ( !$conf->config('password-generated-characters') ) {
-    my $pw_set = 
-      'abcdefghijkmnpqrstuvwxyzABCDEFGHIJKLMNPQRSTUVWXYZ23456789()#.,' ;
-    $conf->set('password-generated-characters', $pw_set);
-  }
-
   if ($conf->exists('unsuspendauto') && !$conf->config('unsuspend_balance')) {
     $conf->set('unsuspend_balance','Zero');
     $conf->delete('unsuspendauto');