Password: Check that a user email is part of password in zxcvbn check…

…er (roundcube#9404)
audriga · Apr 14, 2024 · 7839820 · 7839820
1 parent 15659d7
commit 7839820
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -41,6 +41,7 @@
 - Password: Add ldap_samba_ad driver (#8525)
 - Password: Allow LDAP access using LDAP URI and SASL binding (#8402)
 - Password: Use Guzzle HTTP Client in 'pwned' driver
+- Password: Check that a user email is part of password in zxcvbn checker (#9404)
 - Fix attachment name decoding when 'charset' parameter exists in the headers (#9376)
 - Fix deprecated (in PHP 8.4) use of session_set_save_handler() (#9060)
 - Fix potential HTTP protocol version mismatch (#8982)

diff --git a/plugins/password/drivers/zxcvbn.php b/plugins/password/drivers/zxcvbn.php
@@ -58,8 +58,14 @@ public function check_strength($passwd)
             ], true, true);
         }
 
+        $rcmail = rcmail::get_instance();
+        $userData = [
+            $rcmail->user->get_username('local'),
+            $_SESSION['username'],
+        ];
+
         $zxcvbn = new Zxcvbn(); // @phpstan-ignore-line
-        $strength = $zxcvbn->passwordStrength($passwd); // @phpstan-ignore-line
+        $strength = $zxcvbn->passwordStrength($passwd, $userData); // @phpstan-ignore-line
 
         return [$strength['score'] + 1, $strength['feedback']['warning']];
     }