SECURITY: don't allow re-using the current password during password r…

…eset
fbxie · Aug 24, 2016 · 7a81669 · 7a81669
1 parent 79245a2
commit 7a81669
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
@@ -340,6 +340,7 @@ en:
               common: "is one of the 10000 most common passwords. Please use a more secure password."
               same_as_username: "is the same as your username. Please use a more secure password."
               same_as_email: "is the same as your email. Please use a more secure password."
+              same_as_current: "is the same as your current password."
             ip_address:
               signup_not_allowed: "Signup is not allowed from this account."
         color_scheme_color:

diff --git a/lib/validators/password_validator.rb b/lib/validators/password_validator.rb
@@ -14,6 +14,8 @@ def validate_each(record, attribute, value)
       record.errors.add(attribute, :same_as_username)
     elsif record.email.present? && value == record.email
       record.errors.add(attribute, :same_as_email)
+    elsif record.confirm_password?(value)
+      record.errors.add(attribute, :same_as_current)
     elsif SiteSetting.block_common_passwords && CommonPasswords.common_password?(value)
       record.errors.add(attribute, :common)
     end

diff --git a/spec/components/validators/password_validator_spec.rb b/spec/components/validators/password_validator_spec.rb
@@ -96,6 +96,15 @@
       validate
       expect(record.errors[:password]).to be_present
     end
+
+    it "adds an error when new password is same as current password" do
+      @password = "mypetsname"
+      record.save!
+      record.reload
+      record.password = @password
+      validate
+      expect(record.errors[:password]).to be_present
+    end
   end
 
   context "password not required" do