Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passwords containing special chars do not work correctly #20021

Closed
samjf opened this issue Nov 16, 2022 · 14 comments · Fixed by #20048
Closed

Passwords containing special chars do not work correctly #20021

samjf opened this issue Nov 16, 2022 · 14 comments · Fixed by #20048
Assignees
Labels
not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Regression Indicates a feature used to work in a certain way but it no longer does even though it should.
Milestone

Comments

@samjf
Copy link
Contributor

samjf commented Nov 16, 2022

I received a report that a super user could not remove a former super user using the user management in settings.

The following is known about the user to be deleted:

  • they are a former super user that has been modified to no access
  • MFA is enabled
  • Password was standard with common letters/numbers/characters
  • Attempted password reset for both SU accounts

The following recreation steps were supplied:

  • Log in as a current super
  • Go to Admin User
  • Click on the delete icon next to the old user
  • Confirm deletion with current logged in super user password in confirmation dialog

Expected Behavior

The user targeted for deletion should be deleted.

Current Behavior

The error message "The current password you entered is not correct"

Possible Solution

I could not recreate this.

Steps to Reproduce (for Bugs)

The following recreation steps were supplied:

  • Log in as a current super
  • Go to Admin User
  • Click on the delete icon next to the old user
  • Confirm deletion with current logged in super user password in confirmation dialog

Context

See above.

Your Environment

  • Matomo Version: 4.12.2
  • PHP Version: 8.0
  • Server Operating System: Linux
@samjf samjf added Potential Bug Something that might be a bug, but can't be reproduced (yet). To Triage An issue awaiting triage by a Matomo core team member labels Nov 16, 2022
@heurteph-ei
Copy link

Is it the same as #19857 (User Deletion throws error "Password is too weak")?

@peterhashair
Copy link
Contributor

I can't recreate this one as well. Any @samjf error shows in the log?

@peterhashair peterhashair added Waiting for user feedback Indicates the Matomo team is waiting for feedback from the author or other users. and removed Potential Bug Something that might be a bug, but can't be reproduced (yet). To Triage An issue awaiting triage by a Matomo core team member labels Nov 17, 2022
@samjf
Copy link
Contributor Author

samjf commented Nov 20, 2022

@peterhashair I looked at the time and didn't see anything at all sorry 😢 I tried to squeeze any more detail, but unfortunately that is all I got.

@sgiehl
Copy link
Member

sgiehl commented Nov 21, 2022

@samjf Would be interesting to know if the password confirmation error really only happens when removing a former super user. I would guess that this also happens when removing any other user and maybe even also when saving system or plugin setting.
If you are able to reach out to the reporter maybe ask them if their password works for any other password confirmation overlay and if they are using any special characters in their password.

@Olivier-SP
Copy link

@samjf Would be interesting to know if the password confirmation error really only happens when removing a former super user. I would guess that this also happens when removing any other user and maybe even also when saving system or plugin setting. If you are able to reach out to the reporter maybe ask them if their password works for any other password confirmation overlay and if they are using any special characters in their password.

I can confirm all type of users are concerned, not only super users.

@sgiehl
Copy link
Member

sgiehl commented Nov 23, 2022

Are you using any special chars in the password or maybe an additional login plugin like LDAP or SAML?

@Olivier-SP
Copy link

Are you using any special chars in the password or maybe an additional login plugin like LDAP or SAML?

@sgiehl thanks for your reply, password is obviously strong :) (contains multiple special chars), and not using any saml/oauth connector yet.
What happen is simply password rejected with this message "incorrect password". In the console the request paylod looks like:
token_auth=xxxxx&force_api_session=1&module=API&method=API.getBulkRequest&urls%5B%5D=method%3DUsersManager.deleteUser%26userLogin%3Djohndoe%26passwordConfirmation%3Dzzzzzzzzz&format=json
field passwordConfirmation (zzzzzzzzzz) is urlencoded when posted to matomo.

Hope this helps!

@sgiehl
Copy link
Member

sgiehl commented Nov 23, 2022

@Olivier-SP would you mind trying to change your password to something without special chars and check if the password prompt for deleting a user then works? That would help us a lot in order to identify the problems origin.

@Olivier-SP
Copy link

Olivier-SP commented Nov 23, 2022

@Olivier-SP would you mind trying to change your password to something without special chars and check if the password prompt for deleting a user then works? That would help us a lot in order to identify the problems origin.

@sgiehl changed my password to something "simple", and worked like a charm :)
Hope this helps to fix it soon !

Edit: but, after being able to remove users, I moved back my password to something secure (my previous password), Matomo told me it was applied, unfortunately after disconnecting/reconnecting my password is not recognized, but kept my previous password.

Edit 2: reset password procedure let me set back a secure password

@sgiehl
Copy link
Member

sgiehl commented Nov 23, 2022

I was able to reproduce that locally by using a password that contains a &. Can you confirm that your secure password also contained a &?
Seems there is some regression with the sanitizing around the password confirmation. We'll try to have a closer look at that soon.

@sgiehl sgiehl added Regression Indicates a feature used to work in a certain way but it no longer does even though it should. and removed Waiting for user feedback Indicates the Matomo team is waiting for feedback from the author or other users. labels Nov 23, 2022
@sgiehl sgiehl added this to the 4.12.4 milestone Nov 23, 2022
@Olivier-SP
Copy link

I was able to reproduce that locally by using a password that contains a &. Can you confirm that your secure password also contained a &? Seems there is some regression with the sanitizing around the password confirmation. We'll try to have a closer look at that soon.

{'-!&(; are the special characters used

Thanks a lot for your time and the coming fix!

@sgiehl
Copy link
Member

sgiehl commented Nov 23, 2022

Just a note for the developer who's gonna start working on this one: My assumption for the problem is something like this:
It seems we are using the plain password sent in the request for normal login as well as when resetting the password (those forms are still using a quickform). Changing the password and password confirmations are handled using controller / api. where the parameters are sanitized automatically. So changing the password to something containing a html special char might end up in an incorrect password in the database I guess. In addition the password confirmation tries to compare the password, where the parameter is first sanitized and unsanitized before the compare. This might also still contain escaped special chars, where it shouldn't.

We should check the code so we in the end always use the plain parameters for passwords / password confirmations.

@sgiehl sgiehl self-assigned this Nov 24, 2022
@sgiehl sgiehl added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Nov 24, 2022
@sgiehl
Copy link
Member

sgiehl commented Nov 25, 2022

We need to move a fix for this to Matomo 5. I tried changing that for Matomo 4, but it's too much effort for a quick fix and the risk of possible other regressions is too high. In addition we already implemented changes to Matomo 5, that will help fixing this a lot easier.

@Olivier-SP If my tests were correct, the char making problems should be &, so not using it in the password should solve the issues. Other characters should work I think.

@sgiehl sgiehl modified the milestones: 4.12.4, 5.0.0 Nov 25, 2022
@sgiehl sgiehl changed the title Super user cannot delete a former super user Passwords containing special chars do not work correctly Nov 25, 2022
@sgiehl sgiehl closed this as completed Dec 14, 2022
@MatomoForumNotifications

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/badd-username-and-password-when-try-to-upload-a-plugin/51170/2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Regression Indicates a feature used to work in a certain way but it no longer does even though it should.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants