Bug #34792 New User/Changing Password Validation Not working.
Submitted: 24 Feb 2008 16:57 Modified: 1 Mar 2008 10:19
Reporter: Chris Stadther Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / NET Severity:S2 (Serious)
Version:5.2.0 OS:Microsoft Windows
Assigned to: CPU Architecture:Any

[24 Feb 2008 16:57] Chris Stadther
Description:
You're missing some code to validate the password strength and requirements.  

How to repeat:
Using the provider, you can create a user that does not conform to the password requirements set forth in the provider configuration.

Suggested fix:
Add the following code to the create user and change password functions:

if( password.Length < MinRequiredPasswordLength )
  {
    status = MembershipCreateStatus.InvalidPassword;
    return null;
  }

int count = 0;

for( int i = 0; i < password.Length; i++ )
  {
    if( !char.IsLetterOrDigit( password, i ) )
      {
        count++;
      }
  }

if( count < MinRequiredNonAlphanumericCharacters )
  {
    status = MembershipCreateStatus.InvalidPassword;
    return null;
  }

if( PasswordStrengthRegularExpression.Length > 0 )
  {
    if( !Regex.IsMatch( password, PasswordStrengthRegularExpression ) )
      {
        status = MembershipCreateStatus.InvalidPassword;
        return null;
      }
  }
[25 Feb 2008 21:16] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/42959
[25 Feb 2008 21:37] Reggie Burnett
Fixed in 5.2.1
[1 Mar 2008 10:19] MC Brown
A note has been added to the 5.2.1 changelog: 

When using the provider to generate or update users and passwords, the password checking algorithm would not validate the password strength or requirements correctly.