WordPress.org
Get WordPress

Make WordPress Core

Ticket #25174: 25174.3.diff

File 25174.3.diff, 4.0 KB (added by iandunn, 13 years ago)

  • src/wp-admin/js/password-strength-meter.js

     
    1 function passwordStrength(password1, username, password2) {
     1/**
     2 * Determine the strength of a given password
     3 *
     4 * @param string password1 The password
     5 * @param array blacklist An array of words that will lower the entropy of the password
     6 * @param string password2 The confirmed password
     7 */
     8function passwordStrength( password1, blacklist, password2 ) {
     9        if ( ! jQuery.isArray( blacklist ) )
     10                blacklist = [ blacklist.toString() ];
     11
    212        if (password1 != password2 && password2.length > 0)
    313                return 5;
    4         var result = zxcvbn( password1, [ username ] );
     14
     15        var result = zxcvbn( password1, blacklist );
    516        return result.score;
    617}
     18
     19/**
     20 * Builds an array of data that should be penalized, because it would lower the entropy of a password if it were used
     21 *
     22 * @return array The array of data to be blacklisted
     23 */
     24function buildUserInputBlacklist() {
     25        var i, userInputFieldsLength, rawValuesLength, currentField,
     26                rawValues       = [],
     27                blacklist       = [],
     28                userInputFields = [ 'user_login', 'first_name', 'last_name', 'nickname', 'display_name', 'email', 'url', 'description', 'weblog_title', 'admin_email' ];
     29
     30        // Collect all the strings we want to blacklist
     31        rawValues.push( jQuery( 'title' ).text() );
     32        rawValues.push( document.URL );
     33
     34        userInputFieldsLength = userInputFields.length;
     35        for ( i = 0; i < userInputFieldsLength; i++ ) {
     36                currentField = jQuery( '#' + userInputFields[ i ] );
     37
     38                if ( 0 == currentField.length ) {
     39                        continue;
     40                }
     41
     42                rawValues.push( currentField[0].defaultValue );
     43                rawValues.push( currentField.val() );
     44        }
     45
     46        // Strip out non-alphanumeric characters and convert each word to an individual entry
     47        rawValuesLength = rawValues.length;
     48        for ( i = 0; i < rawValuesLength; i++ ) {
     49                if ( rawValues[ i ] ) {
     50                        blacklist = blacklist.concat( rawValues[ i ].replace( /\W/g, ' ' ).split( ' ' ) );
     51                }
     52        }
     53
     54        // Remove empty values, short words, and duplicates. Short words are likely to cause many false positives.
     55        blacklist = jQuery.grep( blacklist, function( value, key ) {
     56                if ( '' == value || 4 > value.length ) {
     57                        return false;
     58                }
     59
     60                return jQuery.inArray( value, blacklist ) === key;
     61        });
     62
     63        return blacklist;
     64}
     65 No newline at end of file

  • src/wp-admin/js/user-profile.js

     
    99                        return;
    1010                }
    1111
    12                 strength = passwordStrength(pass1, user, pass2);
     12                strength = passwordStrength( pass1, buildUserInputBlacklist(), pass2 );
    1313
    1414                switch ( strength ) {
    1515                        case 2:

  • tests/qunit/wp-admin/js/password-strength-meter.js

     
    7777                }
    7878        });
    7979
    80         test( 'username in password should be penalized', function() {
     80        test( 'blacklisted words in password should be penalized', function() {
    8181                var allowedPasswordScore, penalizedPasswordScore,
    8282                        allowedPassword   = 'a[janedoe]4',
    8383                        penalizedPassword = 'a[johndoe]4',
    84                         username          = 'johndoe';
     84                        blacklist         = [ 'extra', 'johndoe', 'superfluous' ];
    8585
    86                 allowedPasswordScore = passwordStrength( allowedPassword, username, allowedPassword );
    87                 penalizedPasswordScore = passwordStrength( penalizedPassword, username, penalizedPassword );
     86                allowedPasswordScore = passwordStrength( allowedPassword, blacklist, allowedPassword );
     87                penalizedPasswordScore = passwordStrength( penalizedPassword, blacklist, penalizedPassword );
    8888
    8989                ok( penalizedPasswordScore < allowedPasswordScore, 'Penalized password scored ' + penalizedPasswordScore + '; allowed password scored: ' + allowedPasswordScore );
    9090        });