Bug #126
Passwords with special chars such as ' are quoted and therefore not usable
| Status: | Closed | Start: | 19/10/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | Clément Oudot | % Done: | 100% |
|
| Category: | Self Service Password | |||
| Target version: | self-service-password-0.2 |
Description
PHP seems to replace simple quotes (') in input strings by their escaped equivalent (at least in my installation). So my password , let's say "sec'ret" is recorded to LDAP as "sec\'ret".
History
Updated by Jonathan Clarke 9 months ago
See http://fr.php.net/manual/fr/function.stripslashes.php.
I'm not sure what to implement to fix, ATM.
Updated by Clément Oudot 9 months ago
- Status changed from New to Assigned
- Assigned to set to Clément Oudot
- Target version set to self-service-password-0.2
Hi,
thanks for the bug report.
The question is why PHP try to escape special chars... I will try to look at that. The stripslashes function can indeed be used to bypass this bug.
Updated by Jonathan Clarke 9 months ago
Clément Oudot wrote:
The question is why PHP try to escape special chars... I will try to look at that. The stripslashes function can indeed be used to bypass this bug.
I think it's their magic quotes function, to avoid SQL injections...
Updated by Clément Oudot 9 months ago
Jonathan Clarke wrote:
Clément Oudot wrote:
The question is why PHP try to escape special chars... I will try to look at that. The stripslashes function can indeed be used to bypass this bug.
I think it's their magic quotes function, to avoid SQL injections...
As written here: http://php.net/manual/en/security.magicquotes.php
This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.
So maybe we just have to add documentation to force magic_quotes off for our script. Can you test with this in php.ini:
magic_quotes_gpc = Off
This should resolve the pb.
We now just have to prevent LDAP injection in our code.
Updated by Clément Oudot 9 months ago
- Status changed from Assigned to Feedback
Jonathan, can you give me your feedback when disabling magic_quote in php.ini?
Updated by Clément Oudot 9 months ago
- % Done changed from 0 to 80
Hi,
can you test the last commit (r33)? I add a test to strip slashes if gpg_magic_quote is set.
Updated by Jonathan Clarke 9 months ago
Clément Oudot wrote:
can you test the last commit (r33)? I add a test to strip slashes if gpg_magic_quote is set.
OK, this now works fine. I haven't tested disabling magic quotes, but I guess this is a good enough fix.
Thanks again for being so quick :)
Updated by Clément Oudot 9 months ago
- Status changed from Feedback to Closed
- % Done changed from 80 to 100