Bug 472092 (DSGW_passwd_corrupt) - DSGW password corruption
Summary: DSGW password corruption
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: DSGW_passwd_corrupt
Product: 389
Classification: Retired
Component: UI - Gateway/Phonebook
Version: 1.1.3
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
URL: https://www.redhat.com/archives/fedor...
Whiteboard:
Depends On:
Blocks: FDS1.1.4 FDS1.2.0
TreeView+ depends on / blocked
 
Reported: 2008-11-18 18:08 UTC by Lev
Modified: 2015-12-07 17:15 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 17:15:49 UTC
Embargoed:


Attachments (Terms of Use)
diffs (18.06 KB, patch)
2008-12-22 19:57 UTC, Rich Megginson
no flags Details | Diff
cvs commit log (1.76 KB, text/plain)
2008-12-22 21:45 UTC, Rich Megginson
no flags Details

Description Lev 2008-11-18 18:08:04 UTC
Description of problem:
This bug follows the discussion in the mailing list:
https://www.redhat.com/archives/fedora-directory-users/2008-November/msg00098.html

   DSGW web interface does not pass correctly the special symbols in the passwords, like @,$,&   therefore it is impossible to use DSGW authorization if the password has some of these symbols 

Version-Release number of selected component (if applicable):

the OS is Fedora 9 (64) with all of the recent updates
rpm -qa | grep fedora-ds
fedora-ds-1.1.2-1.fc9.x86_64
fedora-ds-dsgw-1.1.1-1.fc9.x86_64
fedora-ds-admin-1.1.6-1.fc9.x86_64
fedora-ds-admin-console-1.1.2-1.fc9.noarch
fedora-ds-console-1.1.2-2.fc9.noarch
fedora-ds-base-1.1.3-2.fc9.x86_64


How reproducible:

 If one uses special symbols in the Fedora Directory server password it
is impossible to authorize in DSGW web interface. The password passes with some corruptions. If one change the password to some simple one the authorization will be successful. 

Steps to Reproduce:
1. Add special symbols like $,@,& in the password (via console or another way)
2. Try to use DSGW web interface for the authorization
3. Get the error code that the password is incorrect
  
Actual results:
Authentication Failed

Expected results:
Authorization is successful

Additional info:
https://www.redhat.com/archives/fedora-directory-users/2008-November/msg00098.html

Comment 1 Rich Megginson 2008-12-22 19:57:15 UTC
Created attachment 327686 [details]
diffs

Comment 2 Rich Megginson 2008-12-22 21:45:01 UTC
Created attachment 327695 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: 1) By default, all of the get/post parameters have the html entities escaped, so we can be sure that they are displayed to the user escaped, to avoid XSS issues.  However, values sent to LDAP must be unescaped.  The doauth code is used to authenticate directory manager and ordinary users, so we have to unescape the password explicitly there.  The domodify code is used when data is added or modified in the directory server.  It's easier to just fix all of the values before sending to the directory server.
2) The entity code has been moved to adminutil, so use the adminutil functions instead of the dsgw functions.  This will require adminutil 1.1.8.
3) Clean up various compiler warnings.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no

Comment 3 Amita Sharma 2011-07-19 10:23:55 UTC
Followed :
1. Add special symbols like $,@,& in the password (via console or another way)
2. Try to use DSGW web interface for the authorization

Passing. Hence marking VERIFIED.


Note You need to log in before you can comment on or make changes to this bug.