Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Left angle bracket "<" causes remaining characters of password to be omitted #30

Closed
ghost opened this issue Mar 14, 2014 · 6 comments
Closed

Left angle bracket "<" causes remaining characters of password to be omitted #30

ghost opened this issue Mar 14, 2014 · 6 comments
Assignees
@nuxsmin
Labels
kind/bug

Comments

@ghost
Copy link

ghost commented Mar 14, 2014

To reproduce:

  • Create a new account or edit an existing one
  • Include a left angle bracket "<" somewhere in the middle of your password. For example the password "pass<word" will do.
  • Save the the account

Outcome:

  • The characters of the password after and including the left angle bracket are missing when viewing the password. For example the above mentioned password would show as "pass"

Expected:

  • The entire original password should be shown when viewing a saved password.
@nuxsmin nuxsmin added the bug label Mar 15, 2014
@nuxsmin nuxsmin self-assigned this Mar 15, 2014
@nuxsmin
Copy link
Owner

nuxsmin commented Mar 15, 2014

Hi!!

I've noticed that passwords were also "sanitized" for malicious code. It has been patched and will be available in short.

Thank you for the feedback

nuxsmin added a commit that referenced this issue Mar 17, 2014
@nuxsmin
Closes #30
6988a22 
Passwords were "sanitized" and hence some characters were removed from saved string
@ghost
Copy link
Author

ghost commented Mar 27, 2014

Thanks,

This fixed most of the problem, the angle brackets are now being returned (I can see them in the page source) but they still do not show.

The problem seems to be that they're not escaped. I think I've fixed the problem but I don't know the software well enough to test thoroughly. Please see the diff below, this change seems to fix the problem completely.

diff --git a/ajax/ajax_viewpass.php b/ajax/ajax_viewpass.php
index 6a0c1e4..4277a96 100644
--- a/ajax/ajax_viewpass.php
+++ b/ajax/ajax_viewpass.php
@@ -94,10 +94,10 @@ if ($fullTxt) {
         </tr>
         <tr>
             <td><span class="altTxtBlue">' . _('Clave') . '</span></td>
-            <td>' . trim($accountClearPass) . '</td>
+            <td>' . htmlentities(trim($accountClearPass)) . '</td>
         </tr>
         </table>';
     echo '</div>';
 } else {
     echo trim($accountClearPass);
-}
\ No newline at end of file
+}

@nuxsmin nuxsmin reopened this Apr 10, 2014
@nuxsmin
Copy link
Owner

nuxsmin commented Apr 10, 2014

Hi!!, I've already patched the stable release.

Thank you for your support!

@nuxsmin nuxsmin closed this as completed Apr 10, 2014
nuxsmin added a commit that referenced this issue May 9, 2014
@nuxsmin
* CLoses #30. Fixed error on viewing passwords with special character…
1301d00 
…s. Thanks to @chadrempp
@Naelwan
Copy link

Naelwan commented Oct 25, 2016
edited

Hi again,
I have the same issues even though I'm running the latest release.

"Pass<word" is shown as "Pass"
"Pass<<word" is shown as "Pass<"

And after verification, it does the same on http://demo.syspass.org/index.php

nuxsmin added a commit that referenced this issue Oct 25, 2016
@nuxsmin
* [FIX] Fixed issue when showing password through web UI. Closes #30.…
cd28fea 
… Thanks to @Naelwan for the feedback
@nuxsmin
Copy link
Owner

nuxsmin commented Oct 25, 2016

@Naelwan unfortunatelly a parameter in the ajax request was malformed...

Solved in last commit

@Naelwan
Copy link

Naelwan commented Oct 25, 2016

Thank you !

nuxsmin added a commit that referenced this issue Dec 20, 2016
@nuxsmin
* [FIX] Solves #323, help display for bind password on LDAP configura…
f2f71e9 
…tion in classic theme. Thanks to @ejouvin

* [FIX] Solves #325, Custom field creation, "empty" type list in theme classic. Thanks to @ejouvin
* [FIX] Closes #319.
* [FIX] Fixed issue when showing password through web UI. Closes #30. Thanks to @Naelwan for the feedback
* [FIX] Closes #313, closes #317, closes #328. Fix for php7 for users / groups / profiles display. Thanks to @ejouvin
* [MOD] Modified alertify theme for MDL
* [FIX] Closes #352, Closes #329
* [FIX] Closes #293, closes #292. Enforces MySQL password on installation
* [FIX] Closes #321. Thanks to @ejouvin for the feedback
* [FIX] Solves #345. Send request for account isn't working on classic theme. Thanks to @anburhce for the feedback
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nuxsmin nuxsmin

Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nuxsmin @Naelwan