From 4fbf6ecfa0b4bfa3c2b1683be544f1806e0c4601 Mon Sep 17 00:00:00 2001
From: Platonides <platonides@users.mediawiki.org>
Date: Wed, 27 Oct 2010 22:26:39 +0000
Subject: [PATCH] Add feature to block common (weak) passwords. This closes the
 hole of passwords hardcoded in r72475,r74213. Also see r75589.

---
 includes/DefaultSettings.php      | 6 ++++++
 includes/User.php                 | 8 ++++++--
 languages/messages/MessagesEn.php | 1 +
 maintenance/language/messages.inc | 1 +
 4 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 1414d83bed..fd6bcbb0f7 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -2770,6 +2770,12 @@ $wgMinimalPasswordLength = 1;
  */
 $wgLivePasswordStrengthChecks = false;
 
+/**
+ * List of weak passwords which shouldn't be allowed.
+ * The items should be in lowercase. The check is case insensitive.
+ */
+$wgWeakPasswords = array( 'password', 'passpass', 'passpass1' );
+
 /**
  * Maximum number of Unicode characters in signature
  */
diff --git a/includes/User.php b/includes/User.php
index 7fc0cce19a..9eec233e2c 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -601,18 +601,22 @@ class User {
 	 * @return mixed: true on success, string of error message on failure
 	 */
 	function getPasswordValidity( $password ) {
-		global $wgMinimalPasswordLength, $wgContLang;
+		global $wgMinimalPasswordLength, $wgWeakPasswords, $wgContLang;
 
 		$result = false; //init $result to false for the internal checks
 
 		if( !wfRunHooks( 'isValidPassword', array( $password, &$result, $this ) ) )
 			return $result;
 
+		$lcPassword = $wgContLang->lc( $password );
+
 		if ( $result === false ) {
 			if( strlen( $password ) < $wgMinimalPasswordLength ) {
 				return 'passwordtooshort';
-			} elseif ( $wgContLang->lc( $password ) == $wgContLang->lc( $this->mName ) ) {
+			} elseif ( $lcPassword == $wgContLang->lc( $this->mName ) ) {
 				return 'password-name-match';
+			} elseif ( in_array( $lcPassword, $wgWeakPasswords ) ) {			
+				return 'password-too-weak';
 			} else {
 				//it seems weird returning true here, but this is because of the
 				//initialization of $result to false above. If the hook is never run or it
diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php
index 9458d6148f..f9ddda9a5b 100644
--- a/languages/messages/MessagesEn.php
+++ b/languages/messages/MessagesEn.php
@@ -1085,6 +1085,7 @@ Please try again.',
 Please try again.',
 'passwordtooshort'           => 'Passwords must be at least {{PLURAL:$1|1 character|$1 characters}}.',
 'password-name-match'        => 'Your password must be different from your username.',
+'password-too-weak'          => 'The provided password is too weak and cannot be used.',
 'mailmypassword'             => 'E-mail new password',
 'passwordremindertitle'      => 'New temporary password for {{SITENAME}}',
 'passwordremindertext'       => 'Someone (probably you, from IP address $1) requested a new
diff --git a/maintenance/language/messages.inc b/maintenance/language/messages.inc
index 7abedfcbdc..12dd290d76 100644
--- a/maintenance/language/messages.inc
+++ b/maintenance/language/messages.inc
@@ -430,6 +430,7 @@ $wgMessageStructure = array(
 		'wrongpasswordempty',
 		'passwordtooshort',
 		'password-name-match',
+		'password-too-weak',
 		'mailmypassword',
 		'passwordremindertitle',
 		'passwordremindertext',
-- 
2.20.1