New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setting up a Nextcloud user -> wrong username or password #893

Open
YugiFanGX opened this Issue Oct 1, 2018 · 13 comments

Comments

Projects
None yet
5 participants
@YugiFanGX

YugiFanGX commented Oct 1, 2018

I have set up an user account for Nextcloud in my system settings.
As I already tried several scenarios, I know why my user credentials are wrong:

It is not allowed to use an "@" sign in the account name.
Please add support for this character.

(Let me recommend you to implement a sync for contacts as well)

@YugiFanGX

This comment has been minimized.

Show comment
Hide comment
@YugiFanGX

YugiFanGX Oct 3, 2018

I don't know how this code was implemented. On my desktop system I have set up such an account without problems. If UT uses some sort of API to Ubuntu - it might get fixed once you release 17.04 or 18.04

YugiFanGX commented Oct 3, 2018

I don't know how this code was implemented. On my desktop system I have set up such an account without problems. If UT uses some sort of API to Ubuntu - it might get fixed once you release 17.04 or 18.04

@trisimix

This comment has been minimized.

Show comment
Hide comment
@trisimix

trisimix Oct 13, 2018

Thinking about attempting this as my first UT issue, it'll take me awhile though, probably.

trisimix commented Oct 13, 2018

Thinking about attempting this as my first UT issue, it'll take me awhile though, probably.

@trisimix

This comment has been minimized.

Show comment
Hide comment
@trisimix

trisimix Oct 13, 2018

@mardy Hello, do you know which repo contains the code for this issue? Searching for the term nextcloud did not produce many useful results.

trisimix commented Oct 13, 2018

@mardy Hello, do you know which repo contains the code for this issue? Searching for the term nextcloud did not produce many useful results.

@mardy

This comment has been minimized.

Show comment
Hide comment
@mardy

mardy Oct 14, 2018

Hi @trisimix, and thanks for your initiative! :-)
The repository is https://github.com/ubports/account-plugins, make sure you checkout the xenial branch, and not master.

mardy commented Oct 14, 2018

Hi @trisimix, and thanks for your initiative! :-)
The repository is https://github.com/ubports/account-plugins, make sure you checkout the xenial branch, and not master.

@YugiFanGX

This comment has been minimized.

Show comment
Hide comment
@YugiFanGX

YugiFanGX Oct 14, 2018

I fixed it. A maintainer before me found out already, the URI encoding leads to issues with special chars
How long will it take for changes to be available on UT 16.04 dev channel?

YugiFanGX commented Oct 14, 2018

I fixed it. A maintainer before me found out already, the URI encoding leads to issues with special chars
How long will it take for changes to be available on UT 16.04 dev channel?

@YugiFanGX YugiFanGX closed this Oct 14, 2018

@Flohack74

This comment has been minimized.

Show comment
Hide comment
@Flohack74

Flohack74 Oct 14, 2018

Member

It will take one night if it was merged properly into the repos ;)

Member

Flohack74 commented Oct 14, 2018

It will take one night if it was merged properly into the repos ;)

YugiFanGX added a commit to YugiFanGX/account-plugins that referenced this issue Oct 14, 2018

issue #893 - Allow special characters for username and password
ubports/ubuntu-touch#893

NOTICE: The URI encoding was removed in the "xenial" branch, but then added while merging to master

@YugiFanGX YugiFanGX reopened this Oct 14, 2018

@YugiFanGX

This comment has been minimized.

Show comment
Hide comment
@YugiFanGX

YugiFanGX Oct 14, 2018

I can't fix this. Currently encodeURIcomponent() is used, which is a huge security risk as the program ignores encoding of these characters:
_ . ! ~ * ' ( ) -
(By using some brackets it is possible to execute code.)

Using only encodeURI() seems to be an alternative, as this function encodes special characters, except:
, / ? : @ & = + $ #

But then it will probably misinterpret password and username, due to the allowed ":" character..

YugiFanGX commented Oct 14, 2018

I can't fix this. Currently encodeURIcomponent() is used, which is a huge security risk as the program ignores encoding of these characters:
_ . ! ~ * ' ( ) -
(By using some brackets it is possible to execute code.)

Using only encodeURI() seems to be an alternative, as this function encodes special characters, except:
, / ? : @ & = + $ #

But then it will probably misinterpret password and username, due to the allowed ":" character..

@mardy

This comment has been minimized.

Show comment
Hide comment
@mardy

mardy Oct 14, 2018

Note that the password encoding was already fixed some time ago here: ubports/account-plugins@87ed689

@YugiFanGX I see that you initially removed the encodeURIcomponent() call completely; did it help in solving the issue? Have you been able find out what are the characters that should not be encoded?

mardy commented Oct 14, 2018

Note that the password encoding was already fixed some time ago here: ubports/account-plugins@87ed689

@YugiFanGX I see that you initially removed the encodeURIcomponent() call completely; did it help in solving the issue? Have you been able find out what are the characters that should not be encoded?

@YugiFanGX

This comment has been minimized.

Show comment
Hide comment
@YugiFanGX

YugiFanGX Oct 14, 2018

@mardy I did not check these changes on my device, but I am pretty sure that this is the line, which makes trouble. Even though I think that removing encodeURIcomponent() would fix the problem with my "@" character, it would allow the usage of other characters such as + ( and ) leading to problems.... I guess there is a meaning behind it, why the password encoding was added in the master branch again.

YugiFanGX commented Oct 14, 2018

@mardy I did not check these changes on my device, but I am pretty sure that this is the line, which makes trouble. Even though I think that removing encodeURIcomponent() would fix the problem with my "@" character, it would allow the usage of other characters such as + ( and ) leading to problems.... I guess there is a meaning behind it, why the password encoding was added in the master branch again.

YugiFanGX added a commit to YugiFanGX/account-plugins that referenced this issue Oct 15, 2018

@mardy

This comment has been minimized.

Show comment
Hide comment
@mardy

mardy Oct 16, 2018

The password encoding was not added again: the master branch is older than the xenial branch, you should only look at the xenial one.

But indeed, I'm not sure what's the ideal solution here: according to the standards, both username and password should be URI-encoded. It looks like nextcloud might be at fault here; we need to find information on how exactly it expects username and password to be encoded.

mardy commented Oct 16, 2018

The password encoding was not added again: the master branch is older than the xenial branch, you should only look at the xenial one.

But indeed, I'm not sure what's the ideal solution here: according to the standards, both username and password should be URI-encoded. It looks like nextcloud might be at fault here; we need to find information on how exactly it expects username and password to be encoded.

@jonnius

This comment has been minimized.

Show comment
Hide comment
@jonnius

jonnius Oct 16, 2018

Contributor

The master branch has never been changed, only the xenial branch. Tbh, I do not really understand the branch policy in the ubports repos and it does not seem to be consistent to me.

About the security concerns: Do you really think the nextcloud server would allow to execute code through misused username / password fields? I would expect the server to escape that. One could just try with his own nextcloud instance, I gues...

Contributor

jonnius commented Oct 16, 2018

The master branch has never been changed, only the xenial branch. Tbh, I do not really understand the branch policy in the ubports repos and it does not seem to be consistent to me.

About the security concerns: Do you really think the nextcloud server would allow to execute code through misused username / password fields? I would expect the server to escape that. One could just try with his own nextcloud instance, I gues...

@YugiFanGX

This comment has been minimized.

Show comment
Hide comment
@YugiFanGX

YugiFanGX Oct 16, 2018

@jonnius No, not the server. I meant on the device itself. But now I am not quite sure..

YugiFanGX commented Oct 16, 2018

@jonnius No, not the server. I meant on the device itself. But now I am not quite sure..

@jonnius

This comment has been minimized.

Show comment
Hide comment
@jonnius

jonnius Oct 18, 2018

Contributor

The html request is sent, not rendered on the phone. I don't see how this could be a danger.

Contributor

jonnius commented Oct 18, 2018

The html request is sent, not rendered on the phone. I don't see how this could be a danger.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment