ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000563ClearOSclearos-frameworkpublic2012-04-26 17:502016-06-02 10:47
Reporterdloper 
Assigned Tobchambers 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version6.8.0 Beta 1Fixed in Version6.8.0 Beta 1 
Summary0000563: Ampersand (&) character is not recognized by webconfig.
DescriptionWhen using an '&' character for passwords, Webconfig will not pass it on its password change nor will it recognize it when it is passed via authentication.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
has duplicate 0006261closed  Codeigniter's global_xss_filtering can break Registration 
has duplicate 0002131closed user2 Webconfig does not properly escape % in password fields 
related to 0006271closed bchambers Ampersand (&) character is not recognized by webconfig. 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2012-04-26 17:50dloperNew Issue
2012-04-27 19:05user2Statusnew => confirmed
2013-02-02 11:29user2Target Version => 6.4.0 Updates
2013-07-29 13:58user2Target Version6.4.0 Updates => 6 Future
2014-04-22 13:28user2Target Version6 Future => Future
2015-05-25 05:10user2Target VersionFuture =>
2015-08-10 10:16dloperNote Added: 0001741
2015-11-17 10:20user2Relationship addedhas duplicate 0006261
2015-11-17 10:22user2Note Added: 0002161
2015-11-17 10:22user2Issue cloned: 0006271
2015-11-17 10:22user2Relationship addedrelated to 0006271
2015-11-17 10:45bchambersNote Added: 0002171
2015-11-17 12:31user2Assigned To => bchambers
2015-11-17 12:31user2Statusconfirmed => assigned
2015-11-18 11:33user2Categoryapp-base - Base System => clearos-framework
2015-12-17 11:45user2Product Version6.2.0 =>
2015-12-17 11:45user2Target Version => 6.7.0 Updates
2015-12-17 11:49user2Relationship addedhas duplicate 0002131
2016-02-16 21:26user2Statusassigned => resolved
2016-02-16 21:26user2Fixed in Version => 6.8.0 Beta 1
2016-02-16 21:26user2Resolutionopen => fixed
2016-05-10 08:49user2Target Version6.7.0 Updates => 6.8.0 Beta 1
2016-06-02 10:47user2Statusresolved => closed

Notes
(0001741)
dloper   
2015-08-10 10:16   
This holds true if the Characters following the ampersand match an ascii character (ie. two numbers in hexidecimal)
(0002161)
user2   
2015-11-17 10:22   
From duplicate 0006261 :

If user's password contains an ampersand, CI is adding a semi colon to end of the password post as per this bug:

https://github.com/bcit-ci/CodeIgniter/issues/1674 [^] [^]

Disabling global_xss_filtering or upgrading CI framework seems to be the only workaround.
(0002171)
bchambers   
2015-11-17 10:45   
It's a total hack, but this work around inside Registration app works:

$pw = $this->input->post('password');
if (preg_match('/&.*;$/', $pw))
        $pw = preg_replace('/;$/', '', $pw);
echo $this->registration->get_registration_info(
        $this->input->post('username'),
        $pw
);