SECURITY: don't allow re-using the current password during password reset

2016-08-24 12:27:09 -04:00 · 2016-08-24 12:27:09 -04:00 · 7a81669c18
parent 79245a25a3
commit 7a81669c18
3 changed files with 12 additions and 0 deletions
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -340,6 +340,7 @@ en:
              common: "is one of the 10000 most common passwords. Please use a more secure password."
              same_as_username: "is the same as your username. Please use a more secure password."
              same_as_email: "is the same as your email. Please use a more secure password."
+              same_as_current: "is the same as your current password."
            ip_address:
              signup_not_allowed: "Signup is not allowed from this account."
        color_scheme_color:
--- a/lib/validators/password_validator.rb
+++ b/lib/validators/password_validator.rb
@ -14,6 +14,8 @@ class PasswordValidator < ActiveModel::EachValidator
      record.errors.add(attribute, :same_as_username)
    elsif record.email.present? && value == record.email
      record.errors.add(attribute, :same_as_email)
+    elsif record.confirm_password?(value)
+      record.errors.add(attribute, :same_as_current)
    elsif SiteSetting.block_common_passwords && CommonPasswords.common_password?(value)
      record.errors.add(attribute, :common)
    end
--- a/spec/components/validators/password_validator_spec.rb
+++ b/spec/components/validators/password_validator_spec.rb
@ -96,6 +96,15 @@ describe PasswordValidator do
      validate
      expect(record.errors[:password]).to be_present
    end
+
+    it "adds an error when new password is same as current password" do
+      @password = "mypetsname"
+      record.save!
+      record.reload
+      record.password = @password
+      validate
+      expect(record.errors[:password]).to be_present
+    end
  end

  context "password not required" do