Password Handling Failure

[miqrogroove]

I just got my Pawtucket site set up and connected to Providence for the first time.

While surfing the Pawtucket features, I logged in using the default credentials admin:h3r1tag3

I then went to the profile page and attempted to reset my password. I used a random password generator and pasted this new password into both fields, exactly:

R=ZL["e\v^ys";5K

I am now unable to login using either password and effectively locked out of both websites. This seems to represent a major bug in the Collective Access password I/O. At this time I do not have any reason to believe it represents a security issue.

[collectiveaccess]

Please try changing it again and see if it's the password, your entry, or an actual issue.

[collectiveaccess]

Also, try logging in with username set to the email address associated with the account (rather than admin). Does that work?

[miqrogroove]

Logging in with email as username does not work.

Password recovery shows email sent, but I never received anything. I'll brainstorm if I have another SMTP server around here somewhere to see if I can simplify this mess.

[collectiveaccess]

You can reset the password on the command line. Go into the support directory in your Providence installation and run bin/caUtils reset-password

[collectiveaccess]

Also try your password without the backslash: R=ZL["ev^ys";5K It's being treated as an escape character rather than a literal. It has never occurred to me to use that char in a password. We'll have to look into how to best treat that. Definitely don't try using it on the command line.

[miqrogroove]

One moment. Somehow my php-cli has the APC module disabled.

[miqrogroove]

First try:

User name admin does not exist

Second try:

I used my email address and got "Changed password". However, I still could not login. This was the new random password:

S&cD5PLknRdtgIh-

Third try:

I excluded everything except alpha and number chars in the password generator, then was able to login with the email address and new password.

[collectiveaccess]

For me the only actual issue is the backslash. All other characters are ok. This is in the Providence web form for passwords and on command-line. I did not try Pawtucket. I'll run through this again tomorrow and see if there's anything else going on.

[miqrogroove]

fwiw, I went back to the command line, reset the password again to S&cD5PLknRdtgIh- and verified it is impossible to login with that password on both websites.

[miqrogroove]

p.s. the full command to reset a password with cache_backend set to apc:

php -d apc.enable_cli=1 caUtils reset-password

[collectiveaccess]

Or just set It in your php config

[Monica-Wood]

I have had some issues with some passwords not being accepted and I have discovered that the character & is causing the issue. If you reset exactly the same password without this character it starts to work each time. FWIW: This is on Providence, not Pawtucket, I haven't used pawtucket yet.

[collectiveaccess]

It turns out this is due to HTMLPurifier, the library uses to filter input from forms, transforming all "&" to an HTML entity. It considers "&" dangerous and does this across the board.

I've just pushed a fix for this.