From a83518982394f93e843e68f663fd39b2d6fd5150 Mon Sep 17 00:00:00 2001
From: rxu <rxu@mail.ru>
Date: Tue, 15 Mar 2011 22:21:43 +0700
Subject: [PATCH 1/4] [ticket/9751] Password requirement "Must contain letters
 and numbers" fails

PHPBB3-9751
---
 phpBB/includes/functions_user.php        |  6 +-
 tests/regex/password_complexity_test.php | 81 ++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 4 deletions(-)
 create mode 100644 tests/regex/password_complexity_test.php

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 8a204995aa..88e07f729c 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1617,7 +1617,6 @@ function validate_password($password)
 	{
 		$upp = '\p{Lu}';
 		$low = '\p{Ll}';
-		$let = '\p{L}';
 		$num = '\p{N}';
 		$sym = '[^\p{Lu}\p{Ll}\p{N}]';
 		$pcre = true;
@@ -1627,7 +1626,6 @@ function validate_password($password)
 		mb_regex_encoding('UTF-8');
 		$upp = '[[:upper:]]';
 		$low = '[[:lower:]]';
-		$let = '[[:lower:][:upper:]]';
 		$num = '[[:digit:]]';
 		$sym = '[^[:upper:][:lower:][:digit:]]';
 		$mbstring = true;
@@ -1636,7 +1634,6 @@ function validate_password($password)
 	{
 		$upp = '[A-Z]';
 		$low = '[a-z]';
-		$let = '[a-zA-Z]';
 		$num = '[0-9]';
 		$sym = '[^A-Za-z0-9]';
 		$pcre = true;
@@ -1652,7 +1649,8 @@ function validate_password($password)
 		break;
 
 		case 'PASS_TYPE_ALPHA':
-			$chars[] = $let;
+			$chars[] = $low;
+			$chars[] = $upp;
 			$chars[] = $num;
 		break;
 
diff --git a/tests/regex/password_complexity_test.php b/tests/regex/password_complexity_test.php
new file mode 100644
index 0000000000..21e8d12a0a
--- /dev/null
+++ b/tests/regex/password_complexity_test.php
@@ -0,0 +1,81 @@
+<?php
+/**
+*
+* @package testing
+* @copyright (c) 2010 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+*
+*/
+
+require_once dirname(__FILE__) . '/../../phpBB/includes/functions_user.php';
+
+class phpbb_password_complexity_test extends phpbb_test_case
+{
+	public function password_complexity_test_data_positive()
+	{
+		return array(
+			array('12345', 'PASS_TYPE_ANY'),
+			array('qwerty', 'PASS_TYPE_ANY'),
+			array('QWERTY', 'PASS_TYPE_ANY'),
+			array('QwerTY', 'PASS_TYPE_ANY'),
+			array('q$erty', 'PASS_TYPE_ANY'),
+			array('qW$rty', 'PASS_TYPE_ANY'),
+
+			array('QwerTY', 'PASS_TYPE_CASE'),
+			array('QwerTY123', 'PASS_TYPE_ALPHA'),
+			array('QwerTY123$&', 'PASS_TYPE_SYMBOL'),
+
+			array('', 'PASS_TYPE_ANY'),
+		);
+	}
+
+	public function password_complexity_test_data_negative()
+	{
+		return array(
+			array('qwerty', 'PASS_TYPE_CASE'),
+			array('QWERTY', 'PASS_TYPE_CASE'),
+			array('123456', 'PASS_TYPE_CASE'),
+			array('#$&', 'PASS_TYPE_CASE'),
+			array('QTY123$', 'PASS_TYPE_CASE'),
+
+			array('qwerty', 'PASS_TYPE_ALPHA'),
+			array('QWERTY', 'PASS_TYPE_ALPHA'),
+			array('123456', 'PASS_TYPE_ALPHA'),
+			array('QwertY', 'PASS_TYPE_ALPHA'),
+			array('qwerty123', 'PASS_TYPE_ALPHA'),
+			array('QWERTY123', 'PASS_TYPE_ALPHA'),
+			array('#$&', 'PASS_TYPE_ALPHA'),
+			array('QTY123$', 'PASS_TYPE_ALPHA'),
+
+			array('qwerty', 'PASS_TYPE_SYMBOL'),
+			array('QWERTY', 'PASS_TYPE_SYMBOL'),
+			array('123456', 'PASS_TYPE_SYMBOL'),
+			array('QwertY', 'PASS_TYPE_SYMBOL'),
+			array('qwerty123', 'PASS_TYPE_SYMBOL'),
+			array('QWERTY123', 'PASS_TYPE_SYMBOL'),
+			array('#$&', 'PASS_TYPE_SYMBOL'),
+			array('qwerty123$', 'PASS_TYPE_SYMBOL'),
+			array('QWERTY123$', 'PASS_TYPE_SYMBOL'),
+		);
+	}
+
+	/**
+	* @dataProvider password_complexity_test_data_positive
+	*/
+	public function test_password_complexity_positive($password, $mode)
+	{
+		global $config;
+		$config['pass_complex'] = $mode;
+		$this->assertFalse(validate_password($password));
+	}
+
+	/**
+	* @dataProvider password_complexity_test_data_negative
+	*/
+	public function test_password_complexity_negative($password, $mode)
+	{
+		global $config;
+		$config['pass_complex'] = $mode;
+		$this->assertEquals('INVALID_CHARS', validate_password($password));
+	}
+}

From dba8cf12fd2573edc9722076770140c7b4024f6b Mon Sep 17 00:00:00 2001
From: Andreas Fischer <bantu@phpbb.com>
Date: Fri, 25 Mar 2011 22:48:44 +0100
Subject: [PATCH 2/4] [ticket/9751] Use a switch/case block without break for
 password complexity.

PHPBB3-9751
---
 phpBB/includes/functions_user.php | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 88e07f729c..c51e571e31 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1643,23 +1643,25 @@ function validate_password($password)
 
 	switch ($config['pass_complex'])
 	{
+		// No break statements below ...
+		// We require strong passwords in case pass_complex is not set or is invalid
+		default:
+
+		// Require mixed case letters, numbers and symbols
+		case 'PASS_TYPE_SYMBOL':
+			$chars[] = $sym;
+
+		// Require mixed case letters and numbers
+		case 'PASS_TYPE_ALPHA':
+			$chars[] = $num;
+
+		// Require mixed case letters
 		case 'PASS_TYPE_CASE':
 			$chars[] = $low;
 			$chars[] = $upp;
-		break;
 
-		case 'PASS_TYPE_ALPHA':
-			$chars[] = $low;
-			$chars[] = $upp;
-			$chars[] = $num;
-		break;
-
-		case 'PASS_TYPE_SYMBOL':
-			$chars[] = $low;
-			$chars[] = $upp;
-			$chars[] = $num;
-			$chars[] = $sym;
-		break;
+		// No requirements
+		case 'PASS_TYPE_ANY':
 	}
 
 	if ($pcre)

From 7cc32d3843afbb754b3de101bda2267012647c2f Mon Sep 17 00:00:00 2001
From: Andreas Fischer <bantu@phpbb.com>
Date: Fri, 25 Mar 2011 23:11:15 +0100
Subject: [PATCH 3/4] [ticket/9751] Compare $password with empty string instead
 of casting it to bool

PHPBB3-9751
---
 phpBB/includes/functions_user.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index c51e571e31..6ac6317dd2 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1605,7 +1605,7 @@ function validate_password($password)
 {
 	global $config, $db, $user;
 
-	if (!$password)
+	if ($password === '')
 	{
 		return false;
 	}

From 4dce53628c97062b1085eb714892f6d81ae07699 Mon Sep 17 00:00:00 2001
From: Andreas Fischer <bantu@phpbb.com>
Date: Fri, 25 Mar 2011 23:15:40 +0100
Subject: [PATCH 4/4] [ticket/9751] Add shortcut logic for pass_complex ==
 PASS_TYPE_ANY.

Add shortcut logic for pass_complex because this is the default value phpBB
ships with and there is nothing to do in that function in that case.

PHPBB3-9751
---
 phpBB/includes/functions_user.php | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 6ac6317dd2..89ce52dc39 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1605,8 +1605,9 @@ function validate_password($password)
 {
 	global $config, $db, $user;
 
-	if ($password === '')
+	if ($password === '' || $config['pass_complex'] === 'PASS_TYPE_ANY')
 	{
+		// Password empty or no password complexity required.
 		return false;
 	}
 
@@ -1659,9 +1660,6 @@ function validate_password($password)
 		case 'PASS_TYPE_CASE':
 			$chars[] = $low;
 			$chars[] = $upp;
-
-		// No requirements
-		case 'PASS_TYPE_ANY':
 	}
 
 	if ($pcre)