@tsteur opened this Issue on November 18th 2021 Member

see https://github.com/matomo-org/matomo-mobile-2/issues/5429#issuecomment-972618636 refs https://github.com/matomo-org/matomo-mobile-2/issues/5423

Create a user with password r&a^rer<a class='mention' href='https://github.com/ere'>@ere</a>. Then try to create a token for that user using below API call:

index.php?userLogin=test&passwordConfirmation=r%26a%5Erer%40ere&description=Matomo%20Mobile%202&method=UsersManager.createAppSpecificTokenAuth&module=API&date=today&token_auth=anonymous&period=day&format=json&language=en&

Which then Matomo interprets as r&amp;a^rer<a class='mention' href='https://github.com/ere'>@ere</a> and then says password is wrong.

I tested below patch and this solved the issue for me. We'll need to add a test for this though.

diff --git a/plugins/UsersManager/API.php b/plugins/UsersManager/API.php
index 96702a36f7..8b3434133c 100644
--- a/plugins/UsersManager/API.php
+++ b/plugins/UsersManager/API.php
@@ -1409,6 +1409,7 @@ class API extends \Piwik\Plugin\API
             }
         }

+        $passwordConfirmation = Common::unsanitizeInputValue($passwordConfirmation);
         if (empty($user) || !$this->passwordVerifier->isPasswordCorrect($userLogin, $passwordConfirmation)) {
             if (empty($user)) {
                 /**
This Issue was closed on November 18th 2021
Powered by GitHub Issue Mirror