Bug #847 - #928: The character ':' is now allowed in passwords

include/User.h

@@ -32,10 +32,15 @@ class User : public PoolObjectSQL
 {
 public:
 
+    /**
+     *  Characters that can not be in a name
+     */
+    static const string INVALID_NAME_CHARS;
+
     /**
      *  Characters that can not be in a password
      */
-    static const string INVALID_CHARS;
+    static const string INVALID_PASS_CHARS;
 
     /**
      * Function to print the User object into a string in XML format
@@ -79,33 +84,22 @@ public:
     };
 
     /**
-     *  Checks if a name or password is valid, i.e. it is not empty and does not
+     *  Checks if a name is valid, i.e. it is not empty and does not
      *  contain invalid characters.
-     *    @param str Name or password to be checked
+     *    @param uname Name to be checked
      *    @param error_str Returns the error reason, if any
      *    @return true if the string is valid
      */
-    static bool is_valid(const string& str, string& error_str)
-    {
-        if ( str.empty() )
-        {
-            error_str = "cannot be empty";
-            return false;
-        }
+    static bool name_is_valid(const string& uname, string& error_str);
 
-        size_t pos = str.find_first_of(INVALID_CHARS);
-
-        if ( pos != string::npos )
-        {
-            ostringstream oss;
-            oss << "character '" << str.at(pos) << "' is not allowed";
-
-            error_str = oss.str();
-            return false;
-        }
-
-        return true;
-    }
+    /**
+     *  Checks if a password is valid, i.e. it is not empty and does not
+     *  contain invalid characters.
+     *    @param pass Password to be checked
+     *    @param error_str Returns the error reason, if any
+     *    @return true if the string is valid
+     */
+    static bool pass_is_valid(const string& pass, string& error_str);
 
     /**
      *  Sets user password. It checks that the new password does not contain
@@ -118,13 +112,12 @@ public:
     {
         int rc = 0;
 
-        if (is_valid(passwd, error_str))
+        if (pass_is_valid(passwd, error_str))
         { 
             password = passwd;
         }
         else
         {
-            error_str = string("Invalid password: ").append(error_str);
             rc = -1;
         }
 

src/um/User.cc

@@ -27,7 +27,8 @@
 #include "Group.h"
 
 
-const string User::INVALID_CHARS = " :\t\n\v\f\r";
+const string User::INVALID_NAME_CHARS = " :\t\n\v\f\r";
+const string User::INVALID_PASS_CHARS = " \t\n\v\f\r";
 
 /* ************************************************************************** */
 /* User :: Database Access Functions                                          */
@@ -208,3 +209,58 @@ int User::split_secret(const string secret, string& user, string& pass)
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
 
+bool User::name_is_valid(const string& uname, string& error_str)
+{
+    if ( uname.empty() )
+    {
+        error_str = "Invalid NAME, it cannot be empty";
+        return false;
+    }
+
+    size_t pos = uname.find_first_of(INVALID_NAME_CHARS);
+
+    if ( pos != string::npos )
+    {
+        ostringstream oss;
+        oss << "Invalid NAME, character '" << uname.at(pos) << "' is not allowed";
+
+        error_str = oss.str();
+        return false;
+    }
+
+    if ( uname.length() > 128 )
+    {
+        error_str = "Invalid NAME, max length is 128 chars";
+        return false;
+    }
+
+    return true;
+}
+
+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+
+bool User::pass_is_valid(const string& pass, string& error_str)
+{
+    if ( pass.empty() )
+    {
+        error_str = "Invalid password, it cannot be empty";
+        return false;
+    }
+
+    size_t pos = pass.find_first_of(INVALID_PASS_CHARS);
+
+    if ( pos != string::npos )
+    {
+        ostringstream oss;
+        oss << "Invalid password, character '" << pass.at(pos) << "' is not allowed";
+
+        error_str = oss.str();
+        return false;
+    }
+
+    return true;
+}
+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+

src/um/UserPool.cc

@@ -143,22 +143,16 @@ int UserPool::allocate (
     ostringstream   oss;
 
     // Check username and password
-    if ( !User::is_valid(password, error_str) )
+    if ( !User::pass_is_valid(password, error_str) )
     {
         goto error_pass;
     }
 
-    if ( !User::is_valid(uname, error_str) )
+    if ( !User::name_is_valid(uname, error_str) )
     {
         goto error_name;
     }
 
-    if ( uname.length() > 128 )
-    {
-        error_str = "max length is 128 chars";
-        goto error_name;
-    }
-
     // Check for duplicates
     user = get(uname,false);
 
@@ -207,11 +201,11 @@ int UserPool::allocate (
     return *oid;
 
 error_pass:
-    oss << "Invalid password, " << error_str << ".";
+    oss << error_str << ".";
     goto error_common;
 
 error_name:
-    oss << "Invalid NAME, " << error_str << ".";
+    oss << error_str << ".";
     goto error_common;
 
 error_duplicated: