From Bugzilla Helper: User-Agent: Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20030314 Description of problem: The 'recover password' page sends the user an email containing a link to the 'change-password' page with a one-time key set. eg: http://dev:9042/ccm/register/change-password?ad_user_recover=2008%211062428109542%21vEQhCgNRs+KNYWIFzShQaQ%3D%3D&g11n.enc=UTF-8 However, upon visiting this page to change their password, the user is redirected to the login page: http://dev:9042/ccm/register/?g11n.enc=UTF-8&return_url=%2Fccm%2Fregister%2Fchange-password%2F%3Fg11n.enc%3DUTF-8%26ad_user_recover%3D2008%25211062428109542%2521vEQhCgNRs%2BKNYWIFzShQaQ%253D%253D :-( Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Logout of site 2. Fill out the form on the 'recover password' page 3. Wait for the email to arrive 4. Visit the link in the email Actual Results: Redirected to the login page Expected Results: Presented a form allowing password to be changed. Additional info:
This bug is due to the fact that the Credential contains a '+' character in it. The recover password UI (com.arsdigita.ui.login.RecoverPasswordPanel) generates the url's credential paramater by calling: Line: 339 ParameterMap map = ParameterMap.fromString (RecoveryLoginModule.getParamName() + "=" + RecoveryLoginModule.getParamValue(user.getID())); However the ParameterMap.fromString() function URLDecode's the query string replacing '+' characters with space characters. Once it's decoded it is again encoded. You can fix this problem by replacing the above lines of code with this these: ParameterMap map = ParameterMap.fromString (RecoveryLoginModule.getParamName() + "=" + URLEncoder.encode (RecoveryLoginModule.getParamValue(user.getID()), "UTF-8")); By first encoding the Credential you ensure that the original value is returned when it is decoded.
thanks to excellent debugging work, fixed at 5.2.x (37889), 6.0.x (37890), and dev (37891)