search

gaspode-wd / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

URLEncoding the PWM Macro values, especially password (Enhancement request) #326

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Put a url in External REST Change Method that uses %PASSWORD%
2. Password is fine in the GET statement... but
3. Because the value is not URLencoded, special characters in password (#, &, 
?, % etc.) are seen as delimiters in the url string and of course this makes 
using the %PASSWORD% parameter as input into (say) a php program kind of 
useless.

What is the expected output? What do you see instead?
Would like to have the password URLencoded so that special characters are not 
identified as delimiters in the string.

For example...

configuration:
?pw=%PASSWORD%&un=@User:ID@

resulting GET:
?pw=Pass#word123&un=myuser  

resulting variable assignments:
pw=Pass
un=myuser

What version of PWM are you using?

1.6.4

What ldap directory and version are you using?

eDirectory 8.8

Please paste any error log messages below:

No errors, just inconsistent results

thank you!
Karla B

Original issue reported on code.google.com by kbore...@smith.edu on 30 Jan 2013 at 5:47

GoogleCodeExporter commented 9 years ago 
Hello,

We are actually implementing PWM in our school (about 5000 users) and we have 
the same issue here. We cannot allow special characters in our password because 
the external REST call is not URLencoded.

We would really appreciate a solution for this. 

Alternatively, instead of issuing a HTTP GET, the external REST method should 
use POST and the PWM admin allowed to put whatever he wants into the POST body 
(including actual macro).

Thanks a lot,
Jérémy Berthet

http://www.hepl.ch

Original comment by grapesh...@gmail.com on 14 Aug 2013 at 7:55

GoogleCodeExporter commented 9 years ago 
This patch fixes the problem you mentioned and another problem as well.  I know 
it's a bit of a hack, but it works for me as I don't need %OLD_PASSWORD%.

It requires that you rebuild from source (included in the 1.6.4 zip archive).

--- 
pwm-1.6.4-ldapchai-r51-orig/servlet/src/password/pwm/util/Helper.java   2012-08-23
 13:53:04.000000000 -0500
+++ 
pwm-1.6.4-ldapchai-r51-patched/servlet/src/password/pwm/util/Helper.java    2013-08
-20 16:29:29.000000000 -0500
@@ -70,6 +70,8 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;

+import java.net.URLEncoder;
+
 /**
  * A collection of static methods used throughout PWM
  *
@@ -452,9 +454,12 @@
                         return StringEscapeUtils.escapeHtml(newValue); // make sure replacement values are properly encoded
                     }
                 });
-                LOGGER.debug(pwmSession, "sending HTTP verification request: " 
+ expandedURL);
-                expandedURL = expandedURL.replace("%PASSWORD%", 
StringEscapeUtils.escapeHtml(newPassword)); // expand and encode %PASSWORD%
-                expandedURL = expandedURL.replace("%OLD_PASSWORD%", 
StringEscapeUtils.escapeHtml(oldPassword)); // expand and encode %OLD_PASSWORD%
+                LOGGER.debug(pwmSession, "sending HTTP REST request: " + 
expandedURL);
+       // Using escapeHtml is just wrong here.
+                //expandedURL = expandedURL.replace("%PASSWORD%", 
StringEscapeUtils.escapeHtml(newPassword)); // expand and encode %PASSWORD%
+                expandedURL = expandedURL.replace("%PASSWORD%", 
URLEncoder.encode(newPassword, "UTF-8")); // expand and encode %PASSWORD%
+       // Breaks when help desk resets the password (no old password supplied).  OK 
unless the target of the REST call requires it...
+                //expandedURL = expandedURL.replace("%OLD_PASSWORD%", 
StringEscapeUtils.escapeHtml(oldPassword)); // expand and encode %OLD_PASSWORD%
                 final URI requestURI = new URI(expandedURL);
                 final HttpGet httpGet = new HttpGet(requestURI.toString());

@@ -470,7 +475,7 @@
                 LOGGER.debug(pwmSession, "response from http rest request: " + httpResponse.getStatusLine());
                 LOGGER.trace(pwmSession, "response body from http rest request: " + responseBody);
             } catch (Exception e) {
-                final String errorMsg = "unexpected error during recpatcha API 
execution: " + e.getMessage();
+                final String errorMsg = "unexpected error during http rest 
request: " + e.getMessage();
                 LOGGER.error(pwmSession, errorMsg);
             }
         }

Original comment by rjaf...@gmail.com on 20 Aug 2013 at 11:52

GoogleCodeExporter commented 9 years ago 
This issue would be more aptly titled:

  "URLEncode PWM Macro values when used to construct HTTP requests."

Original comment by rjaf...@gmail.com on 21 Aug 2013 at 12:01

GoogleCodeExporter commented 9 years ago 
From my point of view, this issue has been solved in the last release of PWM.

Original comment by grapesh...@gmail.com on 9 Oct 2013 at 9:45