#637: Move a subset of password checks to a separate function and check itbug-637

on every login

The subset are some very lightweight checks that contains the check for the
old password suggestion

Signed-off-by: Michael Tänzer <neo@nhng.de>

2 files changed, 14 insertions, 3 deletions

diff --git a/includes/general.php b/includes/general.php
index 5789875..aa74e9b 100644
--- a/includes/general.php
+++ b/includes/general.php
@@ -248,8 +248,7 @@
 		}
 	}
 
-	function checkpw($pwd, $email, $fname, $mname, $lname, $suffix)
-	{
+	function checkpwlight($pwd) {
 		$points = 0;
 
 		if(strlen($pwd) > 15)
@@ -279,7 +278,19 @@
 			$points++;
 
 		//echo "Points due to length and charset: $points<br/>";
+		
+		// check for historical password proposal
+		if ($pwd === "Fr3d Sm|7h") {
+			return 0;
+		}
+		
+		return $points;
+	}
 
+	function checkpw($pwd, $email, $fname, $mname, $lname, $suffix)
+	{
+		$points = checkpwlight($pwd);
+		
 		if(@strstr(strtolower($pwd), strtolower($email)))
 			$points--;
 
diff --git a/www/index.php b/www/index.php
index 2634a47..d42a4dc 100644
--- a/www/index.php
+++ b/www/index.php
@@ -332,7 +332,7 @@
 				$_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
 				$_SESSION['_config']['oldlocation'] = "account.php?id=13";
 			}
-			if ($pword === "Fr3d Sm|7h")
+			if (checkpwlight($pword) < 3)
 				$_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
 			if($_SESSION['_config']['oldlocation'] != "")
 				header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);