⌈⌋ branch:  freshcode


View Ticket

Ticket UUID: bc84f77c6fc96423783780e51ef42d5b88459ed8
Title: Impossible to login in order to update a project with some passwords
Status: Closed Type: Incident
Severity: Critical Priority: Immediate
Subsystem: Resolution: Unable_To_Reproduce
Last Modified: 2016-11-03 16:59:28
Version Found In:
User Comments:
anonymous added on 2016-10-05 09:21:26: (text/x-fossil-plain)
Hello,

I've locked my project (https://freshcode.club/projects/jarr) with a password generated with my password manager (https://www.passwordstore.org).

Then, I want to update the project (just to test) with this per-project password. 
So, I provide this password to the login box of the page (https://freshcode.club/login) and the login fails.

I think this is because my generated password contains the character: "
The part of the password to the left of the " character is still in the HTML input field. And the right part is displayed just above the "Save" button.

mario added on 2016-11-03 16:52:18: (text/x-fossil-wiki)
Now the password being incorrectly replayed is HTML escaping issue.

However it was stored with the `"` intact. There's no filtering on the password input itself.

It's been removed from the project entry for now.

mario added on 2016-11-03 16:59:28: (text/x-fossil-wiki)
Well, there is some filtering:

 $_REQUEST->ascii->nocontrol->trim["set_password"];

However that would just strip out control characters, nothing else.

HTML escaping for password input has been fixed.