Bug 103511 - The URL in the 'recover password' email redirects to login page
The URL in the 'recover password' email redirects to login page
Status: CLOSED RAWHIDE
Product: Red Hat Web Application Framework
Classification: Retired
Component: ui (Show other bugs)
nightly
All Linux
medium Severity medium
: ---
: ---
Assigned To: ccm-bugs-list
Jon Orris
:
Depends On:
Blocks: 100952 103600
  Show dependency treegraph
 
Reported: 2003-09-01 10:46 EDT by Daniel Berrange
Modified: 2007-04-18 12:57 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-12-09 21:48:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Berrange 2003-09-01 10:46:48 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20030314

Description of problem:
The 'recover password' page sends the user an email containing a link to the
'change-password' page with a one-time key set. eg:

http://dev:9042/ccm/register/change-password?ad_user_recover=2008%211062428109542%21vEQhCgNRs+KNYWIFzShQaQ%3D%3D&g11n.enc=UTF-8

However, upon visiting this page to change their password, the user is
redirected to the login page:

http://dev:9042/ccm/register/?g11n.enc=UTF-8&return_url=%2Fccm%2Fregister%2Fchange-password%2F%3Fg11n.enc%3DUTF-8%26ad_user_recover%3D2008%25211062428109542%2521vEQhCgNRs%2BKNYWIFzShQaQ%253D%253D

:-(


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Logout of site
2. Fill out the form on the 'recover password' page
3. Wait for the email to arrive
4. Visit the link in the email
    

Actual Results:  Redirected to the login page

Expected Results:  Presented a form allowing password to be changed.

Additional info:
Comment 1 Brett Prucha 2003-10-29 11:24:49 EST
This bug is due to the fact that the Credential contains a '+' character in 
it.  The recover password UI (com.arsdigita.ui.login.RecoverPasswordPanel) 
generates the url's credential paramater by calling:

Line: 339   ParameterMap map = 
                ParameterMap.fromString
                (RecoveryLoginModule.getParamName() + "=" +
                 RecoveryLoginModule.getParamValue(user.getID()));

However the ParameterMap.fromString() function URLDecode's the query string 
replacing '+' characters with space characters.  Once it's decoded it is again 
encoded.  You can fix this problem by replacing the above lines of code with 
this these:

            ParameterMap map = 
                ParameterMap.fromString
                (RecoveryLoginModule.getParamName() + "=" +
				 URLEncoder.encode
(RecoveryLoginModule.getParamValue(user.getID()), "UTF-8"));

By first encoding the Credential you ensure that the original value is returned 
when it is decoded.
Comment 2 Archit Shah 2003-11-11 00:45:12 EST
thanks to excellent debugging work, fixed at 5.2.x (37889), 6.0.x
(37890), and dev (37891)

Note You need to log in before you can comment on or make changes to this bug.