Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not posible to create a token auth when password contains an ampersand (and possibly other special characters) #18346

Closed
tsteur opened this issue Nov 18, 2021 · 0 comments · Fixed by #18348
Assignees
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Milestone

Comments

@tsteur
Copy link
Member

tsteur commented Nov 18, 2021

see matomo-org/matomo-mobile-2#5429 (comment) refs matomo-org/matomo-mobile-2#5423

Create a user with password r&a^rer@ere. Then try to create a token for that user using below API call:

index.php?userLogin=test&passwordConfirmation=r%26a%5Erer%40ere&description=Matomo%20Mobile%202&method=UsersManager.createAppSpecificTokenAuth&module=API&date=today&token_auth=anonymous&period=day&format=json&language=en&

Which then Matomo interprets as r&a^rer@ere and then says password is wrong.

I tested below patch and this solved the issue for me. We'll need to add a test for this though.

diff --git a/plugins/UsersManager/API.php b/plugins/UsersManager/API.php
index 96702a36f7..8b3434133c 100644
--- a/plugins/UsersManager/API.php
+++ b/plugins/UsersManager/API.php
@@ -1409,6 +1409,7 @@ class API extends \Piwik\Plugin\API
             }
         }
 
+        $passwordConfirmation = Common::unsanitizeInputValue($passwordConfirmation);
         if (empty($user) || !$this->passwordVerifier->isPasswordCorrect($userLogin, $passwordConfirmation)) {
             if (empty($user)) {
                 /**
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Projects
None yet
2 participants