Loading...
 
Skip to main content

LDAP password will not be accepted when using > or < in the password string

Status
Closed
Subject
LDAP password will not be accepted when using > or < in the password string
Version
10.x
Category
  • Error
Feature
Permission
Resolution status
New
Submitted by
ukoegler
Lastmod by
Marc Laporte
Rating
(0)
Description

we are using ldap for login to tikiwiki. If the user has a > or < character in his password he is not able to login to tikiwiki. He will get the message "password is not correct".
I asume that this might be a code problem in php or html so that tikiwiki interprete these characters as code?

The Problem will be found here:

-> /srv/www/htdocs/tikiwiki/tiki-setup_base.php

in the line:

614: $_POST = $inputFilter->filter($_POST);

...in which obviously all Request-Parameters will be somehow filtered inklusive Password
($_REQUEST'pass'). Before/After the Request-Hash looks as follows (Test-Passwort: Ordix<0590):

<!-- array(5) { %22user%22=> string(2) "ca" %22pass%22=> string(10) "Ordix>0590" %22login%22=> string(6) "Log In" %22stay_in_ssl_mode_present%22=> string(1) "y" %22stay_in_ssl_mode%22=> string(1) "n" }
-->

<!-- array(5) { %22user%22=> string(2) "ca" %22pass%22=> string(9) "Ordix0590" %22login%22=> string(6) "Log In" %22stay_in_ssl_mode_present%22=> string(1) "y" %22stay_in_ssl_mode%22=> string(1) "n" } the "inputFilter" will be declared here: 606:$inputFilter = DeclFilter::fromConfiguration($inputConfiguration, array('catchAllFilter')); it seems to be a Bug inTikiwiki. is there a solution?
Solution

Merging with Issue
https://dev.tiki.org/item4599

Workaround

we have now removed the filter for the passwort.

affected file is wikix:/srv/www/htdocs/tikiwiki/tiki-login.php ( line 15)

9 $inputConfiguration = array(
10 array( 'staticKeyFilters' => array(
11 'user' => 'text',
12 'username' => 'text',
13 // upd by ts Fr 19. Jul 13:16:29 CEST 2013
14 // Entered password wir be no longer filtered
15 //'pass' => 'text',
16 ) )
17 );

So then logging with special characters works (although you could now also integrate with any unsightly code)

Is there a possobility to check this filter for certain bugs?

Importance
10 high
Priority
50
Demonstrate Bug on Tiki 19+
Demonstrate Bug (older Tiki versions)
Ticket ID
4597
Created
Thursday 18 July, 2013 07:16:06 UTC
by ukoegler
LastModif
Wednesday 11 September, 2013 15:55:08 UTC


Show PHP error messages