Bug 103511

Summary: The URL in the 'recover password' email redirects to login page
Product: [Retired] Red Hat Web Application Framework Reporter: Daniel BerrangĂ© <berrange>
Component: uiAssignee: ccm-bugs-list
Status: CLOSED RAWHIDE QA Contact: Jon Orris <jorris>
Severity: medium Docs Contact:
Priority: medium    
Version: nightlyCC: pruchaba_bah
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-12-10 02:48:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 100952, 103600    

Description Daniel Berrangé 2003-09-01 14:46:48 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20030314

Description of problem:
The 'recover password' page sends the user an email containing a link to the
'change-password' page with a one-time key set. eg:

http://dev:9042/ccm/register/change-password?ad_user_recover=2008%211062428109542%21vEQhCgNRs+KNYWIFzShQaQ%3D%3D&g11n.enc=UTF-8

However, upon visiting this page to change their password, the user is
redirected to the login page:

http://dev:9042/ccm/register/?g11n.enc=UTF-8&return_url=%2Fccm%2Fregister%2Fchange-password%2F%3Fg11n.enc%3DUTF-8%26ad_user_recover%3D2008%25211062428109542%2521vEQhCgNRs%2BKNYWIFzShQaQ%253D%253D

:-(


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Logout of site
2. Fill out the form on the 'recover password' page
3. Wait for the email to arrive
4. Visit the link in the email
    

Actual Results:  Redirected to the login page

Expected Results:  Presented a form allowing password to be changed.

Additional info:
Comment 1 Brett Prucha 2003-10-29 16:24:49 UTC 
This bug is due to the fact that the Credential contains a '+' character in 
it.  The recover password UI (com.arsdigita.ui.login.RecoverPasswordPanel) 
generates the url's credential paramater by calling:

Line: 339   ParameterMap map = 
                ParameterMap.fromString
                (RecoveryLoginModule.getParamName() + "=" +
                 RecoveryLoginModule.getParamValue(user.getID()));

However the ParameterMap.fromString() function URLDecode's the query string 
replacing '+' characters with space characters.  Once it's decoded it is again 
encoded.  You can fix this problem by replacing the above lines of code with 
this these:

            ParameterMap map = 
                ParameterMap.fromString
                (RecoveryLoginModule.getParamName() + "=" +
				 URLEncoder.encode
(RecoveryLoginModule.getParamValue(user.getID()), "UTF-8"));

By first encoding the Credential you ensure that the original value is returned 
when it is decoded.
Comment 2 Archit Shah 2003-11-11 05:45:12 UTC 
thanks to excellent debugging work, fixed at 5.2.x (37889), 6.0.x
(37890), and dev (37891)