From 1eff14d093d541d9858f73ffca042de5a2bf3ea5 Mon Sep 17 00:00:00 2001
From: arno <arenevier@fdn.fr>
Date: Mon, 24 Aug 2009 00:00:46 +0200
Subject: [PATCH] do not allow empty passwords

---
 api.php              |  6 ++++++
 inc/db/anydb.php     |  3 ++-
 inc/db/mysql.php     |  3 +++
 inc/html/admin.php   |  1 +
 inc/html/install.php | 30 +++++++++++++++++++++++++-----
 inc/i10n/en/syp.php  |  3 +++
 inc/i10n/fr/syp.php  |  5 +++++
 js/admin.js          | 12 ++++++++++++
 8 files changed, 57 insertions(+), 6 deletions(-)

diff --git a/api.php b/api.php
index ac49d76..e74f3b4 100644
--- a/api.php
+++ b/api.php
@@ -344,6 +344,9 @@ function main ($con) {
             try {
                 $con->setpwd ($user, $newpass);
             } catch (Exception $e) {
+                if ($e->getMessage () == anydbConnection::err_query) {
+                    error_request ();
+                }
                 error_server ();
             }
             setcookies ($user, $newpass);
@@ -364,6 +367,9 @@ function main ($con) {
             try {
                 $con->setpwd ($newuser_name, $newuser_password);
             } catch (Exception $e) {
+                if ($e->getMessage () == anydbConnection::err_query) {
+                    error_request ();
+                }
                 error_server ();
             }
             success_newuser ($newuser_name);
diff --git a/inc/db/anydb.php b/inc/db/anydb.php
index 1094365..b63a264 100644
--- a/inc/db/anydb.php
+++ b/inc/db/anydb.php
@@ -100,7 +100,8 @@ interface anydbConnection {
 
     /*
      * set password $pwd for user $usrname. If $usrname does not exist, create
-     * it
+     * it.
+     * throws an err_query error in case $pwd is null
      */
     public function setpwd($usrname, $pwd);
 
diff --git a/inc/db/mysql.php b/inc/db/mysql.php
index 8c07aa3..8383607 100644
--- a/inc/db/mysql.php
+++ b/inc/db/mysql.php
@@ -63,6 +63,9 @@ class mysqlConnection implements anydbConnection {
     }
 
     public function setpwd ($user_name, $pwd) {
+        if (strlen ($pwd) == 0) {
+            throw new Exception (anydbConnection::err_query);
+        }
         $usrname_escaped = mysql_real_escape_string ($user_name);
         if ($this->user_exists ($user_name)) {
             $query = sprintf ("UPDATE %susers SET pwd='%s' WHERE name like '%s';", 
diff --git a/inc/html/admin.php b/inc/html/admin.php
index 7702b94..d6d876b 100644
--- a/inc/html/admin.php
+++ b/inc/html/admin.php
@@ -69,6 +69,7 @@ if (!$usrtblexists || !$itemstblexists) {
             UnconsistentError: "<?php ptrans('Server reply was inconsistent.')?>",
             DelSucces: "<?php ptrans('Removal took place correctly.')?>",
             UpdateSucces: "<?php ptrans('Save took place correctly.')?>",
+            emptyPasswordError: "<?php ptrans('Password cannot be empty')?>",
             userPasswordmatchError: "<?php ptrans('Passwords do not match.')?>",
             changeSamePass: "<?php ptrans('New password is the same as old password.')?>",
             changePassBadPass: "<?php ptrans('Bad password.')?>",
diff --git a/inc/html/install.php b/inc/html/install.php
index d3def31..4b2d02c 100644
--- a/inc/html/install.php
+++ b/inc/html/install.php
@@ -10,6 +10,10 @@
       <link rel="stylesheet" href="./media/install.css" type="text/css" >
       <title><?php ptrans ('SYP wizard')?></title>
       <script type="text/javascript">
+      var sypStrings = {
+            emptyPasswordError: "<?php ptrans('Password cannot be empty')?>"
+      };
+
       function init () {
         if (document.getElementById('db_host')) { 
             document.getElementById('db_host').focus();
@@ -19,6 +23,17 @@
             document.getElementById('admin_pass').select();
         }
       }
+
+      function checkpwd () {
+          var pass = document.getElementById('admin_pass').value;
+          if (!pass) {
+              document.getElementById('empty_pass_error').innerHTML = sypStrings.emptyPasswordError;
+              document.getElementById('empty_pass_error').style.display = "block";
+              document.getElementById('admin_pass').focus();
+              return false;
+          }
+          return true;
+      }
       </script>
 </head>
 <body onload="init()">
@@ -192,7 +207,8 @@
     if ($users_table_exists) {
         par_success (trans ('Found user table.'));
     } else {
-        if (isset($_POST ["admin_pass"])) {
+        $empty_pass = (isset ($_POST ["admin_pass"]) && (strlen ($_POST ["admin_pass"]) == 0));
+        if ($_POST ["admin_pass"]) {
             try {
                 $connection->create_users_table (true);
             } catch (Exception $e) {
@@ -207,11 +223,15 @@
             par_success (trans ('Admin password initialized.'));
 
         } else {
-            print ('<form class="center" method="post" action="">
+            print ('<form class="center" method="post" action="" onsubmit="return checkpwd()">
                     <label for="admin_pass">' . trans ("choose admin password") . '</label>
-                    <input id="admin_pass" name="admin_pass" type="password">
-                    <input type="submit">
-                 </form>');
+                    <input id="admin_pass" name="admin_pass" type="password">');
+            if ($empty_pass) {
+                print ('<p class="error" id="empty_pass_error">' . trans('Password cannot be empty') . '</p>');
+            } else {
+                print ('<p class="error" style="display: none" id="empty_pass_error"></p>');
+            }
+            print ('<br><input type="submit"></form>');
             leave ();
         }
     }
diff --git a/inc/i10n/en/syp.php b/inc/i10n/en/syp.php
index 316158b..de65072 100644
--- a/inc/i10n/en/syp.php
+++ b/inc/i10n/en/syp.php
@@ -17,6 +17,9 @@
         "SYP wizard"
           => "",
 
+        "Password cannot be empty"
+          => "",
+
         "exist but is not a directory"
           => "",
 
diff --git a/inc/i10n/fr/syp.php b/inc/i10n/fr/syp.php
index 1cb3600..d4240b5 100644
--- a/inc/i10n/fr/syp.php
+++ b/inc/i10n/fr/syp.php
@@ -18,6 +18,11 @@
         "Assistant d'installation de SYP"
           ,
 
+        "Password cannot be empty"
+          =>
+        "Le mot de passe ne peut pas être vide"
+          ,
+
         "exist but is not a directory"
           =>
         "existe mais n'est pas un répertoire"
diff --git a/js/admin.js b/js/admin.js
index 85a28dd..36c7406 100644
--- a/js/admin.js
+++ b/js/admin.js
@@ -923,6 +923,12 @@ var userMgr = {
             return;
         }
 
+        if (!newpass) {
+            this.commError(SypStrings.emptyPasswordError);
+            $("#pass_new").focus().select();
+            return;
+        }
+
         var curpass = $("#pass_current").val();
         if (newpass == curpass) {
             this.commError(SypStrings.changeSamePass);
@@ -1008,6 +1014,12 @@ var userMgr = {
             return;
         }
 
+        if (!newuser_pass) {
+            this.commError(SypStrings.emptyPasswordError);
+            $("#pass_new").focus().select();
+            return;
+        }
+
         this.commError("");
 
         AjaxMgr.add({
-- 
2.39.2