Forum

Thread tagged as: Question, Problem, Runway

Paranoid Mode Not Enforcing Password Length

I have set define('PERCH_PARANOID', true) but was still able to set a password to 5 characters long. I have also tried: define(PERCH_PASSWORD_MIN_LENGTH: 8) and it still wasn't being enforced.

Diagnostics

Perch Runway: 3.0.8
Production mode: Production (100)
Installed apps: content (3.0.8), assets (3.0.8), categories (3.0.8), perch_blog (5.5.1), perch_forms (1.9.1)
DB driver: PDO
DB tables: perch3_backup_plans (1), perch3_backup_resources (0), perch3_backup_runs (17), perch3_blog_authors (1), perch3_blog_comments (0), perch3_blog_index (268), perch3_blog_posts (11), perch3_blog_posts_to_tags (0), perch3_blog_sections (1), perch3_blog_tags (0), perch3_blogs (1), perch3_categories (29), perch3_category_counts (0), perch3_category_sets (2), perch3_collection_index (13500), perch3_collection_items (908), perch3_collection_revisions (194), perch3_collections (1), perch3_content_index (787), perch3_content_items (206), perch3_content_locks (0), perch3_content_regions (4), perch3_forms (2), perch3_forms_responses (0), perch3_menu_items (12), perch3_navigation (1), perch3_navigation_pages (2), perch3_page_routes (8), perch3_page_templates (20), perch3_pages (10), perch3_resource_log (3066), perch3_resource_tags (0), perch3_resources (1387), perch3_resources_to_tags (0), perch3_settings (29), perch3_user_passwords (4), perch3_user_privileges (35), perch3_user_role_privileges (6), perch3_user_roles (2), perch3_users (4)
Users: 4
App runtimes:
<?php
    $apps_list = [
        'perch_blog',
        'perch_forms',
    ];
Scheduled tasks for perch_blog: delete_spam_comments (1440 mins)
Scheduled tasks for Backup: plan_1 (10 mins)
Editor plug-ins: config.js
H1: e49f2b1f1a5c33f77bf4205325eafb17
L1: 208d4f52e4e802596b1674cc52ed6be5
F1: 0c66c2e1f82f9e0b7617b2cb8270f2c7
content_singlePageEdit: 1
helpURL:
siteURL: /
hideBranding: 1
content_collapseList: 1
lang: en-gb
installedAt: 3.0.8
update_3.0.8: done
headerColour: #000000
headerScheme: dark
update_runway_3.0.8: done
latest_version:
on_sale_version: 3.0.8
dashboard: 0
hide_pwd_reset: 0
keyboardShortcuts: 1
siteOffline: 0
content_hideNonEditableRegions: 0
content_frontend_edit: 0
content_skip_region_list: 0
perch_blog_update: 5.0.1
perch_blog_post_url: /blog/{postSlug}
perch_blog_site_name:
perch_blog_slug_format: %Y-%m-%d-{postTitle}
perch_blog_akismet_key:
perch_blog_max_spam_days: 30
perch_blog_comment_notify: 0
logoPath: /admin/resources/logo.svg
PERCH_DEVELOPMENT: 10
PERCH_STAGING: 50
PERCH_PRODUCTION: 100
PERCH_SITEPATH: /Users/Toby/Sites/create-this
PERCH_SCHEDULE_SECRET: Er5C4HswprZy2Ctk
PERCH_DB_USERNAME: root
PERCH_DB_SERVER: localhost
PERCH_DB_DATABASE: perch_ct_local
PERCH_DB_PREFIX: perch3_
PERCH_EMAIL_FROM: helpus@create-this.co.uk
PERCH_EMAIL_FROM_NAME: Create-This
PERCH_LOGINPATH: /admin
PERCH_PATH: /Users/Toby/Sites/create-this/admin
PERCH_CORE: /Users/Toby/Sites/create-this/admin/core
PERCH_RESFILEPATH: /Users/Toby/Sites/create-this/admin/resources
PERCH_RESPATH: /admin/resources
PERCH_HTML5: 1
PERCH_TZ: UTC
PERCH_CUSTOM_EDITOR_CONFIGS: 1
PERCH_PARANOID: 1
PERCH_PASSWORD_MIN_LENGTH: 8
PERCH_RUNWAY: 1
PERCH_ERROR_MODE: DIE
PERCH_DATE_LONG: %d %B %Y
PERCH_DATE_SHORT: %d %b %Y
PERCH_TIME_SHORT: %H:%M
PERCH_TIME_LONG: %H:%M:%S
PERCH_RUNWAY_ROUTED:
PERCH_STRONG_PASSWORDS:
PERCH_ASSET_VERSION: 5163d57ff611b3cf853b
PERCH_DEBUG:
PERCH_PREVIEW_ARG: preview
PERCH_TEMPLATE_PATH: /Users/Toby/Sites/create-this/admin/templates
PERCH_TEMPLATE_FILTERS:
PERCH_DEFAULT_DOC: index.php
PERCH_DEFAULT_EXT: .php
PERCH_PRODUCTION_MODE: 100
PERCH_XHTML_MARKUP:
PERCH_RWD: 1
PERCH_HTML_ENTITIES:
PERCH_SSL:
PERCH_STRIPSLASHES:
PERCH_PROGRESSIVE_FLUSH: 1
PERCH_FORCE_SECURE_COOKIES: 1
PERCH_DEFAULT_BUCKET: default
PERCH_TRANSLATION_ASSIST:
PERCH_MAX_FAILED_LOGINS: 10
PERCH_AUTH_LOCKOUT_DURATION: 1 HOUR
PERCH_VERIFY_UPLOADS: 1
PERCH_PRIV_ASSIST:
PERCH_AUTH_PLUGIN:
PERCH_DB_CHARSET: utf8
PERCH_DB_PORT:
PERCH_DB_SOCKET:
PERCH_SESSION_TIMEOUT_MINS: 20
PERCH_APPS_EDITOR_PLUGIN: markitup
PERCH_APPS_EDITOR_MARKUP_LANGUAGE: markdown
Hosting settings

PHP: 5.6.30
Zend: 2.6.0
OS: Darwin
SAPI: cgi-fcgi
Safe mode: not detected
MySQL client: mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $
MySQL server: 5.6.35
Free disk space: 27.03 GB
Extensions: Core, date, ereg, libxml, openssl, pcre, sqlite3, zlib, bcmath, bz2, calendar, ctype, curl, dom, hash, fileinfo, filter, ftp, gd, SPL, iconv, intl, json, ldap, mbstring, session, standard, mysqlnd, mysqli, PDO, pdo_mysql, pdo_sqlite, Phar, posix, readline, Reflection, mysql, SimpleXML, soap, sockets, exif, tokenizer, wddx, xml, xmlreader, xmlwriter, xsl, zip, cgi-fcgi, imap, gettext, mcrypt, pgsql, pdo_pgsql, igbinary, memcached, mhash
GD: Yes
ImageMagick: No
PHP max upload size: 32M
PHP max form post size: 32M
PHP memory limit: 128M
Total max uploadable file size: 32M
Resource folder writeable: Yes
Session timeout: 24 minutes
Native JSON: Yes
Filter functions: Yes
Transliteration functions: Yes
PHP_FCGI_CHILDREN: 4
PWD: /Applications/MAMP/fcgi-bin
PHP_FCGI_MAX_REQUESTS: 200
__CF_USER_TEXT_ENCODING: 0x1F5:0x0:0x2
ORIG_SCRIPT_NAME: /fcgi-bin/php5.6.30.fcgi
ORIG_PATH_TRANSLATED: /Users/Toby/Sites/create-this/admin/core/settings/diagnostics/index.php
ORIG_PATH_INFO: /admin/core/settings/diagnostics/index.php
ORIG_SCRIPT_FILENAME: /Applications/MAMP/fcgi-bin/php5.6.30.fcgi
SCRIPT_NAME: /admin/core/settings/diagnostics/index.php
REQUEST_URI: /admin/core/settings/diagnostics/?extended
QUERY_STRING: extended
REQUEST_METHOD: GET
SERVER_PROTOCOL: HTTP/1.1
GATEWAY_INTERFACE: CGI/1.1
REDIRECT_URL: /admin/core/settings/diagnostics/index.php
REDIRECT_QUERY_STRING: extended
REMOTE_PORT: 63252
SCRIPT_FILENAME: /Users/Toby/Sites/create-this/admin/core/settings/diagnostics/index.php
SERVER_ADMIN: you@example.com
DOCUMENT_ROOT: /Users/Toby/Sites/create-this
REMOTE_ADDR: ::1
SERVER_PORT: 8888
SERVER_ADDR: ::1
SERVER_NAME: ct.loc
SERVER_SOFTWARE: Apache
PATH: /usr/bin:/bin:/usr/sbin:/sbin
HTTP_COOKIE: cmsa=1; PHPSESSID=50d8b0c29f34dcb71c08c1f6f3ac5823
HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.8
HTTP_ACCEPT_ENCODING: gzip, deflate
HTTP_REFERER: https://ct.loc:8888/admin/core/settings/diagnostics/
HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
HTTP_UPGRADE_INSECURE_REQUESTS: 1
HTTP_CONNECTION: keep-alive
HTTP_HOST: ct.loc:8888
REDIRECT_STATUS: 200
REDIRECT_HANDLER: php-fastcgi
FCGI_ROLE: RESPONDER
PHP_SELF: /admin/core/settings/diagnostics/index.php
REQUEST_TIME_FLOAT: 1502177074.49
REQUEST_TIME: 1502177074
argc: 1
Toby Martin

Toby Martin 1 points

  • 4 years ago
Drew McLellan

Drew McLellan 2638 points
Perch Support

Where and when are you setting the password?

First via the link in the email generated by creating a new user. Then if I log in as that user, I can again set a password below that threshold.

Drew McLellan

Drew McLellan 2638 points
Perch Support

Can you give me the URLs?

Link from email: /admin/core/reset/?token=4vse4q29rz9pklih6avlvqx9puim6u20&new=1

And on the account page: admin/core/account/

Drew McLellan

Drew McLellan 2638 points
Perch Support

For some reason you have PERCH_STRONG_PASSWORDS as false. Not sure why that is, but try:

define('PERCH_STRONG_PASSWORDS', true);

Great, that worked, although define('PERCH_STRONG_PASSWORDS', false); wasn't declared in my config.

On a related note, if I go into the Users sections and choose to resend the link for that user without entering my own password to Authenticate, the form shows a validation error but the email still comes through.

Drew McLellan

Drew McLellan 2638 points
Perch Support

Right, false is the default as most people don't want that functionality.

But shouldn't define('PERCH_PARANOID', true) set PERCH_STRONG_PASSWORDS to true?

Drew McLellan

Drew McLellan 2638 points
Perch Support

It should do yes, and now it does, but in the build you have it wasn't.

Good to know, cheers as always Drew.