From 05037e0b50b1308096e1ff867798ab485b0361fe Mon Sep 17 00:00:00 2001
From: Torben Hansen <derhansen@gmail.com>
Date: Sat, 17 Feb 2024 09:38:02 +0100
Subject: [PATCH] [TASK] Prevent password policy warning in
 BackendUserPasswordCheck

The dataHandler hook implementation `BackendUserPasswordCheck` sets
a random password for a new backend user, if the provided password
is empty in `$incomingFieldArray`. The generated password is a
random HMAC string, which does not fulfill the requirements of
the default TYPO3 password policy. As a result, a password policy
warning is shown.

This change ensures, that the generated random password at least
fulfills the default TYPO3 password policy.

Resolves: #103138
Releases: main, 12.4
Change-Id: I20ef7c5958d539533cc76ca41c4cc7b5ab07e594
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82986
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
---
 .../core/Classes/Hooks/BackendUserPasswordCheck.php  | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/typo3/sysext/core/Classes/Hooks/BackendUserPasswordCheck.php b/typo3/sysext/core/Classes/Hooks/BackendUserPasswordCheck.php
index 9106d274ddea..f690601b75d1 100644
--- a/typo3/sysext/core/Classes/Hooks/BackendUserPasswordCheck.php
+++ b/typo3/sysext/core/Classes/Hooks/BackendUserPasswordCheck.php
@@ -29,10 +29,7 @@ use TYPO3\CMS\Core\Utility\MathUtility;
  */
 class BackendUserPasswordCheck
 {
-    /**
-     * @var Random
-     */
-    protected $random;
+    protected Random $random;
 
     public function __construct()
     {
@@ -58,7 +55,12 @@ class BackendUserPasswordCheck
             return;
         }
         if (!isset($incomingFieldArray['password']) || (string)$incomingFieldArray['password'] === '') {
-            $incomingFieldArray['password'] = GeneralUtility::hmac($id, $this->random->generateRandomBytes(20));
+            $incomingFieldArray['password'] = $this->random->generateRandomPassword([
+                'lowerCaseCharacters' => true,
+                'upperCaseCharacters' => true,
+                'digitCharacters' => true,
+                'specialCharacters' => true,
+            ]);
         }
         if (!isset($incomingFieldArray['username']) || (string)$incomingFieldArray['username'] === '') {
             $incomingFieldArray['username'] = 'autogenerated-' . md5($id);
-- 
GitLab