Opened 13 years ago
Closed 13 years ago
#17145 closed defect (bug) (fixed)
Entities in protected post passwords cause password mismatch
Reported by: | dllh | Owned by: | dd32 |
---|---|---|---|
Milestone: | 3.3 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Validation | Keywords: | has-patch |
Focuses: | Cc: |
Description
Repro:
- Make a new post.
- Give it a password with quotes or other entities in it (e.g. "here'quote")
- With cookies cleared and as a non-admin user, supply the correct password to view the post.
Expected Result: Rainbows, unicorns, access to the secrets of life via the newly unlocked post.
Actual Result: The password doesn't match. This is because setcookie() automatically urlencodes the cookie value. So the sample password above winds up causing "here%27quote" to be compared to "here'quote" and there's a mismatch.
The attached patch corrects the issue. Another approach would be to limit input on the front end. The attached post is a simpler solution less constraining on the user.
Attachments (1)
Change History (5)
Note: See
TracTickets for help on using
tickets.
Sorry, a clarification. The urlencoded value seems to be unencoded when brought back in for comparison, but with magic_quotes_gpc enabled, the quote is escaped. The patch checks for magic quotes and strips slashes if needed.