From fb70b5d207d8a0c3c2ce9eb04b361146a347d894 Mon Sep 17 00:00:00 2001 From: mrsdizzie Date: Fri, 21 Aug 2020 18:42:23 -0400 Subject: [PATCH] Disable password complexity check default (#12557) * Disable password complexity check default These features enourange bad passwords/are annoying for people using better password methods, and at minimum we shouldn't force that as a default for obvious reasons. Disable any default check to avoid regular complaints. * fix copy paste format --- custom/conf/app.example.ini | 6 +++--- docs/content/doc/advanced/config-cheat-sheet.en-us.md | 2 +- modules/setting/setting.go | 3 +++ 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index f3030edd8..8d4636bfe 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -497,9 +497,9 @@ DISABLE_GIT_HOOKS = false ; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true ;Comma separated list of character classes required to pass minimum complexity. -;If left empty or no valid values are specified, the default values ("lower,upper,digit,spec") will be used. -;Use "off" to disable checking. -PASSWORD_COMPLEXITY = lower,upper,digit,spec +;If left empty or no valid values are specified, the default is off (no checking) +;Classes include "lower,upper,digit,spec" +PASSWORD_COMPLEXITY = off ; Password Hash algorithm, either "pbkdf2", "argon2", "scrypt" or "bcrypt" PASSWORD_HASH_ALGO = pbkdf2 ; Set false to allow JavaScript to read CSRF cookie diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 2bf825123..56da1d220 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -323,7 +323,7 @@ set name for unique queues. Individual queues will default to - `INTERNAL_TOKEN_URI`: ****: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`) - `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[pbkdf2, argon2, scrypt, bcrypt\]. - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie. -- `PASSWORD_COMPLEXITY`: **lower,upper,digit,spec**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, the default values will be used. Possible values are: +- `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off): - lower - use one or more lower latin characters - upper - use one or more upper latin characters - digit - use one or more digits diff --git a/modules/setting/setting.go b/modules/setting/setting.go index f7edd8e50..ae15f68fa 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -825,6 +825,9 @@ func NewContext() { InternalToken = loadInternalToken(sec) cfgdata := sec.Key("PASSWORD_COMPLEXITY").Strings(",") + if len(cfgdata) == 0 { + cfgdata = []string{"off"} + } PasswordComplexity = make([]string, 0, len(cfgdata)) for _, name := range cfgdata { name := strings.ToLower(strings.Trim(name, `"`))