Red Hat Bugzilla – Bug 456464
xmlrpc api allows users to change password to include disallowed characters
Last modified: 2008-09-25 09:04:10 EDT
Description of problem:
Using the user.setDetails xmlrpc api method users can change their password to
include the characters '<', '>', '\s', and '\"', which according the the user
page should be disallowed.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Ask sherr to run the automated java api test for user.setDetails
details (including password) successfully update
Error stating password was invalid
Fixed in r118986 - user.setDetails now validates the password against the .xsd file, just like the Web frontend does.
fails qa, I can still change the password. It will throw an error over the password being too short but not the bad characters.
verified in dev
verified in qa