Description of problem: This bug follows the discussion in the mailing list: https://www.redhat.com/archives/fedora-directory-users/2008-November/msg00098.html DSGW web interface does not pass correctly the special symbols in the passwords, like @,$,& therefore it is impossible to use DSGW authorization if the password has some of these symbols Version-Release number of selected component (if applicable): the OS is Fedora 9 (64) with all of the recent updates rpm -qa | grep fedora-ds fedora-ds-1.1.2-1.fc9.x86_64 fedora-ds-dsgw-1.1.1-1.fc9.x86_64 fedora-ds-admin-1.1.6-1.fc9.x86_64 fedora-ds-admin-console-1.1.2-1.fc9.noarch fedora-ds-console-1.1.2-2.fc9.noarch fedora-ds-base-1.1.3-2.fc9.x86_64 How reproducible: If one uses special symbols in the Fedora Directory server password it is impossible to authorize in DSGW web interface. The password passes with some corruptions. If one change the password to some simple one the authorization will be successful. Steps to Reproduce: 1. Add special symbols like $,@,& in the password (via console or another way) 2. Try to use DSGW web interface for the authorization 3. Get the error code that the password is incorrect Actual results: Authentication Failed Expected results: Authorization is successful Additional info: https://www.redhat.com/archives/fedora-directory-users/2008-November/msg00098.html
Created attachment 327686 [details] diffs
Created attachment 327695 [details] cvs commit log Reviewed by: nkinder (Thanks!) Fix Description: 1) By default, all of the get/post parameters have the html entities escaped, so we can be sure that they are displayed to the user escaped, to avoid XSS issues. However, values sent to LDAP must be unescaped. The doauth code is used to authenticate directory manager and ordinary users, so we have to unescape the password explicitly there. The domodify code is used when data is added or modified in the directory server. It's easier to just fix all of the values before sending to the directory server. 2) The entity code has been moved to adminutil, so use the adminutil functions instead of the dsgw functions. This will require adminutil 1.1.8. 3) Clean up various compiler warnings. Platforms tested: RHEL5 Flag Day: no Doc impact: no
Followed : 1. Add special symbols like $,@,& in the password (via console or another way) 2. Try to use DSGW web interface for the authorization Passing. Hence marking VERIFIED.