Password: Disallow control characters in passwords (#6547)

CHANGELOG

@@ -24,6 +24,7 @@ CHANGELOG Roundcube Webmail
 - Passowrd: Allow drivers to define password strength rules displayed to the user
 - Password: Allow separate password saving and strength drivers for use of strength checking services (#5040)
 - Password: Add zxcvbn driver for checking password strength (#6479)
+- Password: Disallow control characters in passwords
 - Elastic: Improved datepicker displayed always in parent window
 - Elastic: On touch devices display attachment icons on messages list (#6296)
 - Elastic: Make menu button inactive if all subactions are inactive (#6444)

plugins/password/password.php

@@ -159,7 +159,7 @@ class password extends rcube_plugin
             $newpwd = rcube_charset::convert($newpwd, $rc_charset, $charset);
             $conpwd = rcube_charset::convert($conpwd, $rc_charset, $charset);
 
-            if ($chk_pwd != $orig_pwd) {
+            if ($chk_pwd != $orig_pwd || preg_match('/[\x00-\x1F\x7F]/', $newpwd)) {
                 $this->rc->output->command('display_message', $this->gettext('passwordforbidden'), 'error');
             }
             // other passwords validity checks