Description of problem: Using the user.setDetails xmlrpc api method users can change their password to include the characters '<', '>', '\s', and '\"', which according the the user page should be disallowed. Version-Release number of selected component (if applicable): 5.0.6 How reproducible: Always Steps to Reproduce: 1. Ask sherr to run the automated java api test for user.setDetails 2. 3. Actual results: details (including password) successfully update Expected results: Error stating password was invalid Additional info:
Fixed in r118986 - user.setDetails now validates the password against the .xsd file, just like the Web frontend does.
fails qa, I can still change the password. It will throw an error over the password being too short but not the bad characters.
verified in dev
verified in qa