Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changing password using an HTML entity may result in an error #9763

Closed
wronan opened this issue Feb 11, 2016 · 4 comments
Closed

Changing password using an HTML entity may result in an error #9763

wronan opened this issue Feb 11, 2016 · 4 comments
Assignees
@tsteur
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Milestone
2.16.1

Comments

@wronan
Copy link
Contributor

wronan commented Feb 11, 2016

https://github.com/piwik/piwik/blob/master/plugins/UsersManager/Controller.php#L462

Should be:

$auth->setPassword($newPassword);

instead.
@mattab
Copy link
Member

mattab commented Feb 12, 2016

Hi @wronan does it cause a bug that can be reproduced? could you describe the issue ie Steps to reproduce, Got VS Expected behavior

@wronan
Copy link
Contributor Author

wronan commented Feb 12, 2016

Steps to reproduce:

  1. log into your Piwik
  2. go for your personal settings
  3. change password to New"Pass
  4. you will get permission error, will have to reload the page manually and will land on login form

This partially fails: new password will be set in the DB, but initSession() will fail due to pass mismatch (it will pick new correct pass hash from the DB and compare it with

md5('New"Pass')

@wronan
Copy link
Contributor Author

wronan commented Feb 12, 2016

Well... to be honest, I tested it on 2.15.0 but I don't see any code changes in this controller, so I assume problem still exists.

@tsteur
Copy link
Member

tsteur commented Feb 12, 2016

I can confirm this.

@tsteur tsteur added answered For when a question was asked and we referred to forum or answered it. Bug For errors / faults / flaws / inconsistencies etc. and removed answered For when a question was asked and we referred to forum or answered it. labels Feb 12, 2016
@tsteur tsteur added this to the 2.16.1 milestone Feb 12, 2016
@tsteur tsteur self-assigned this Feb 12, 2016
@tsteur tsteur mentioned this issue Mar 2, 2016
Merged
@mattab mattab changed the title After pass change, sanitized string is passed to Auth (instead of unsanitized) Changing password using an HTML entity may result in an error Apr 1, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsteur tsteur

Labels
Bug For errors / faults / flaws / inconsistencies etc.
Projects
None yet
Milestone
2.16.1
Development

No branches or pull requests
3 participants
@tsteur @mattab @wronan