Prevent passwords being set with empty strings

[settermjd]

Description

Currently, if an attempt is made to set a password with an, effectively, empty string it will be accepted
without question. This PR seeks to prevent that from happening, by ensuring that passwords must be set to a meaningful/valid value.

Related Issue

• Fixes https://github.com/owncloud/security-tracker/issues/282.

Motivation and Context

It prevents a user's password from being set to an empty string.

How Has This Been Tested?

• Unit tests have been added to cover the changes.

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Technical debt
• Tests

Checklist:

• Code changes
• Unit tests added
• Acceptance tests added
• Documentation ticket raised:

Open tasks:

• Backport (if applicable set "backport-request" label and remove when the backport was done)

[phil-davis]

This will prevent someone setting their password to the string char "0".
I guess that is not such a bad restriction on valid password strings.

[settermjd]

True. But on reading after coming to understand the code better and reading through https://github.com/owncloud/security-tracker/issues/282 in light of that information, it appears to me that this PR isn't required, as the code works as expected.

[settermjd]

Turns out, this PR's still in the game after further discussion with @PVince81.

[PVince81]

please avoid using empty() in any case due to its nasty implicit nature.
if you intend to check for "0" then add an explicit check for it

[settermjd]

Feedback addressed @PVince81.

[codecov]

Codecov Report

Merging #32261 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@             Coverage Diff              @@
##             master   #32261      +/-   ##
============================================
+ Coverage     64.09%    64.1%   +<.01%     
- Complexity    18661    18670       +9     
============================================
  Files          1177     1177              
  Lines         70247    70255       +8     
  Branches       1270     1270              
============================================
+ Hits          45026    45035       +9     
+ Misses        24851    24850       -1     
  Partials        370      370

Flag	Coverage Δ	Complexity Δ
#javascript	52.89% <ø> (ø)	0 <ø> (ø)	⬇️
#phpunit	65.37% <100%> (ø)	18670 <2> (+9)	⬆️

Impacted Files	Coverage Δ	Complexity Δ
lib/private/User/Database.php	72.5% <100%> (+0.46%)	44 <0> (+1)	⬆️
lib/public/Util.php	57.75% <100%> (+0.68%)	79 <2> (+2)	⬆️
lib/private/User/User.php	88.88% <100%> (+0.75%)	74 <0> (+6)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 364af70...1424934. Read the comment docs.

[PVince81]

@DeepDiver1975 thoughts on this ? does PHP 7.2 bring something ?

[settermjd]

@DeepDiver1975?

[PVince81]

@settermjd can you remove this trait ? this feels a bit overengineered

[PVince81]

maybe put this as a local method on the class then. I'd rather move this forward to get it merged than spend a long time trying to decide where this method needs to go

[settermjd]

I'm slightly reluctant as it'd have to be copied into both Database and User, as they don't share a common base class and the functionality's not logically specific to either. However, if that's the call, just say and I'll make it happen.

[PVince81]

should we then rather move it to \OCP\Util then ? then any app can use it.
a Trait feel a bit like overkill

[PVince81]

@settermjd please move this to \OCP\Util

[settermjd]

Odd, I thought I'd already done this.

[PVince81]

we usually use \InvalidArgumentException

[PVince81]

sounds like a bit much adding all these new traits and classes just for this simple thing

[PVince81]

feels like overkill to have a trait just for this

maybe we could move the test set to the TestCase base class and put common data providers there, but then it would be providesEmptyValues() and not specific to passwords

[settermjd]

Sounds fine to me. The main motivation was not to have duplicated code. But if having a similar method in TestCase achieves the same objective, them I'm 💯% behind it!

[settermjd]

@PVince81, is it ok to go now?

[PVince81]

please move the utility function to \OCP\Util

[settermjd]

@PVince81, the function's been moved. Thanks for the push.

[PVince81]

please fix the styles, see https://drone.owncloud.com/owncloud/core/10097/69 or run make test-php-style

[PVince81]

@ownclouders rebase

[ownclouders]

Hey! I'm GitMate.io! This pull request is being rebased automatically. Please DO NOT push while rebase is in progress or your changes would be lost permanently ⚠️

[ownclouders]

Automated rebase with GitMate.io was successful! 🎉

[PVince81]

squashed. I hope this will also nudge Drone

[PVince81]

stable10: #32581

hopeful that there were no more testing issues then...

[phil-davis]

Some drone problem in the install-server step of all the sub-jobs. I restarted drone just now.

[settermjd]

@PVince81, do you still want #32261 (comment) done?

[PVince81]

@settermjd I already fixed those myself

[PVince81]

restarted the builds

[PVince81]

seems rebasing did not help:

federatedfilesharing enabled
+ php occ a:l
Enabled:
  - comments: 0.3.0
  - dav: 0.3.2
  - federatedfilesharing: 0.3.1
  - federation: 0.1.0
  - files: 1.5.2
  - files_external: 0.7.1
  - files_sharing: 0.11.0
  - files_trashbin: 0.9.1
  - files_versions: 1.3.0
  - provisioning_api: 0.5.0
  - systemtags: 0.3.0
  - updatenotification: 0.2.1
+ php occ a:e testing
testing not found

maybe resend the PR separately ?

[settermjd]

@PVince81, I don't understand what you're asking in #32261 (comment).

[phil-davis]

@settermjd I rebased it locally and force pushed here. CI is running again, let's see.

[phil-davis]

CI passing 🎆