You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue: special characters in password break the hash
Steps to reproduce:
I installed the latest released version (e107 V2.2.1) and during setup I used a randomly generated strong password for the Administrator account:
H?r}Fz^bT4N"`DU8
Upon completing the installation, I was unable to log in to the admin account. (Wrong password)
I changed the password in mysql via the cli to the md5 hash of "changeme" (4cb9c8a8048fd02294477fcb1a41191a) and was able to log into the admin account with this password.
I immediatly changed the password back to the originally intended strong password H?r}Fz^bT4N"`DU8 and again was not able to log back in and had to manually reset it back again to "changeme".
The text was updated successfully, but these errors were encountered:
This happens because " is transformed into " in one of the e107 methods (maybe toDb()?). The new password actually is
H?r}Fz^bT4N"`DU8
Doing more testing to see how we can fix this
Edit:
It is the e107::getParser()->filter() method. It uses FILTER_SANITIZE_STRING which will get rid of the double quotes. It is present in both /usersettings.php and probably called somewhere from install.php as well.
@CaMer0n Would it be safe to exempt the password field from this filter routine? And process it exactly as entered? Same as with the 'ue' fields?
Optionally we can also make use of FILTER_FLAG_NO_ENCODE_QUOTES which would require making changes to the e107::getParser()->filter() method.
Moc
added
type: bug
A problem that should not be happening
and removed
status: testing required
Someone needs to confirm this issue's existence and write a test to prevent the fix from regressing.
labels
Nov 4, 2019
Moc
added a commit
that referenced
this issue
Nov 4, 2019
This has now been fixed. It is not the cleanest method, and perhaps we need to adjust the e107::getParser()->filter() method to include the FILTER_FLAG_NO_ENCODE_QUOTES flag but for now this works.
Issue: special characters in password break the hash
Steps to reproduce:
I installed the latest released version (e107 V2.2.1) and during setup I used a randomly generated strong password for the Administrator account:
H?r}Fz^bT4N"`DU8
Upon completing the installation, I was unable to log in to the admin account. (Wrong password)
I changed the password in mysql via the cli to the md5 hash of "changeme" (4cb9c8a8048fd02294477fcb1a41191a) and was able to log into the admin account with this password.
I immediatly changed the password back to the originally intended strong password H?r}Fz^bT4N"`DU8 and again was not able to log back in and had to manually reset it back again to "changeme".
The text was updated successfully, but these errors were encountered: