View Ticket
Ticket Hash: | bc84f77c6fc96423783780e51ef42d5b88459ed8 | |||
Title: | Impossible to login in order to update a project with some passwords | |||
Status: | Closed | Type: | Incident | |
Severity: | Critical | Priority: | Immediate | |
Subsystem: | Resolution: | Unable_To_Reproduce | ||
Last Modified: | 2016-11-03 16:59:28 | |||
Version Found In: | ||||
User Comments: | ||||
anonymous added on 2016-10-05 09:21:26:
Hello, I've locked my project (https://freshcode.club/projects/jarr) with a password generated with my password manager (https://www.passwordstore.org). Then, I want to update the project (just to test) with this per-project password. So, I provide this password to the login box of the page (https://freshcode.club/login) and the login fails. I think this is because my generated password contains the character: " The part of the password to the left of the " character is still in the HTML input field. And the right part is displayed just above the "Save" button. mario added on 2016-11-03 16:52:18: Now the password being incorrectly replayed is HTML escaping issue. However it was stored with the `"` intact. There's no filtering on the password input itself. It's been removed from the project entry for now. mario added on 2016-11-03 16:59:28: Well, there is some filtering: $_REQUEST->ascii->nocontrol->trim["set_password"]; However that would just strip out control characters, nothing else. HTML escaping for password input has been fixed. |