Special characters are not consistently handled in passwords

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Reset password with reset-password.php using special characters & ! and ;.
2. Try to log in using the new password

What is the expected output? What do you see instead?
Login failed. Expected successful login.

What version of the product are you using? On what operating system?
r514

Please provide any additional information below.
reset-password uses encode_html() before encoding the new password, while 
index.php uses mysql_real_escape_string() before validating. The resulting hash 
is different and causes a failed login.

I was able to fix the issue by updating reset-password.php:

121c121
<                               $reset_password_new = 
encode_html($_POST['reset_password_new']);

---
>                               $reset_password_new = 
mysql_real_escape_string($_POST['reset_password_new']);

Research scenario had a password with & ; and !. Not sure which one caused the 
issue specifically, but I suspect & because encode_html is involved.

It seems that a similar update is also required to users-edit.php and 
users-add.php because those do not seem to escape the password at all when an 
admin updates a user's password.

Alternatively, the issue could also be resolved by removing the escape 
functions from index.php and reset-password.php. In my opinion it's probably 
safer to scrub it just in case, as long as it's done consistently.

Original issue reported on code.google.com by jmh...@gmail.com on 19 Dec 2013 at 6:40

[GoogleCodeExporter]

This issue was closed by revision r521.

Original comment by i...@subwaydesign.com.ar on 24 Jan 2014 at 10:47

• Changed state: Fixed

[GoogleCodeExporter]

Nice find! Thanks for the solution! Just added it to the repo!

Original comment by i...@subwaydesign.com.ar on 24 Jan 2014 at 10:47