Bug 472092 (DSGW_passwd_corrupt)

Summary: DSGW password corruption
Product: [Retired] 389 Reporter: Lev <dudko>
Component: UI - Gateway/PhonebookAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: high Docs Contact:
Priority: medium    
Version: 1.1.3CC: amsharma, nkinder
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
URL: https://www.redhat.com/archives/fedora-directory-users/2008-November/msg00098.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 17:15:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 467277, 493682    
Attachments:
Description Flags
diffs
none
cvs commit log none

Description Lev 2008-11-18 18:08:04 UTC 
Description of problem:
This bug follows the discussion in the mailing list:
https://www.redhat.com/archives/fedora-directory-users/2008-November/msg00098.html

   DSGW web interface does not pass correctly the special symbols in the passwords, like @,$,&   therefore it is impossible to use DSGW authorization if the password has some of these symbols 

Version-Release number of selected component (if applicable):

the OS is Fedora 9 (64) with all of the recent updates
rpm -qa | grep fedora-ds
fedora-ds-1.1.2-1.fc9.x86_64
fedora-ds-dsgw-1.1.1-1.fc9.x86_64
fedora-ds-admin-1.1.6-1.fc9.x86_64
fedora-ds-admin-console-1.1.2-1.fc9.noarch
fedora-ds-console-1.1.2-2.fc9.noarch
fedora-ds-base-1.1.3-2.fc9.x86_64


How reproducible:

 If one uses special symbols in the Fedora Directory server password it
is impossible to authorize in DSGW web interface. The password passes with some corruptions. If one change the password to some simple one the authorization will be successful. 

Steps to Reproduce:
1. Add special symbols like $,@,& in the password (via console or another way)
2. Try to use DSGW web interface for the authorization
3. Get the error code that the password is incorrect
  
Actual results:
Authentication Failed

Expected results:
Authorization is successful

Additional info:
https://www.redhat.com/archives/fedora-directory-users/2008-November/msg00098.html
Comment 1 Rich Megginson 2008-12-22 19:57:15 UTC 
Created attachment 327686 [details]
diffs
Comment 2 Rich Megginson 2008-12-22 21:45:01 UTC 
Created attachment 327695 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: 1) By default, all of the get/post parameters have the html entities escaped, so we can be sure that they are displayed to the user escaped, to avoid XSS issues.  However, values sent to LDAP must be unescaped.  The doauth code is used to authenticate directory manager and ordinary users, so we have to unescape the password explicitly there.  The domodify code is used when data is added or modified in the directory server.  It's easier to just fix all of the values before sending to the directory server.
2) The entity code has been moved to adminutil, so use the adminutil functions instead of the dsgw functions.  This will require adminutil 1.1.8.
3) Clean up various compiler warnings.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Comment 3 Amita Sharma 2011-07-19 10:23:55 UTC 
Followed :
1. Add special symbols like $,@,& in the password (via console or another way)
2. Try to use DSGW web interface for the authorization

Passing. Hence marking VERIFIED.