Open GoogleCodeExporter opened 9 years ago
Hello,
We are actually implementing PWM in our school (about 5000 users) and we have
the same issue here. We cannot allow special characters in our password because
the external REST call is not URLencoded.
We would really appreciate a solution for this.
Alternatively, instead of issuing a HTTP GET, the external REST method should
use POST and the PWM admin allowed to put whatever he wants into the POST body
(including actual macro).
Thanks a lot,
Jérémy Berthet
http://www.hepl.ch
Original comment by grapesh...@gmail.com
on 14 Aug 2013 at 7:55
This patch fixes the problem you mentioned and another problem as well. I know
it's a bit of a hack, but it works for me as I don't need %OLD_PASSWORD%.
It requires that you rebuild from source (included in the 1.6.4 zip archive).
---
pwm-1.6.4-ldapchai-r51-orig/servlet/src/password/pwm/util/Helper.java 2012-08-23
13:53:04.000000000 -0500
+++
pwm-1.6.4-ldapchai-r51-patched/servlet/src/password/pwm/util/Helper.java 2013-08
-20 16:29:29.000000000 -0500
@@ -70,6 +70,8 @@
import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import java.net.URLEncoder;
+
/**
* A collection of static methods used throughout PWM
*
@@ -452,9 +454,12 @@
return StringEscapeUtils.escapeHtml(newValue); // make sure replacement values are properly encoded
}
});
- LOGGER.debug(pwmSession, "sending HTTP verification request: "
+ expandedURL);
- expandedURL = expandedURL.replace("%PASSWORD%",
StringEscapeUtils.escapeHtml(newPassword)); // expand and encode %PASSWORD%
- expandedURL = expandedURL.replace("%OLD_PASSWORD%",
StringEscapeUtils.escapeHtml(oldPassword)); // expand and encode %OLD_PASSWORD%
+ LOGGER.debug(pwmSession, "sending HTTP REST request: " +
expandedURL);
+ // Using escapeHtml is just wrong here.
+ //expandedURL = expandedURL.replace("%PASSWORD%",
StringEscapeUtils.escapeHtml(newPassword)); // expand and encode %PASSWORD%
+ expandedURL = expandedURL.replace("%PASSWORD%",
URLEncoder.encode(newPassword, "UTF-8")); // expand and encode %PASSWORD%
+ // Breaks when help desk resets the password (no old password supplied). OK
unless the target of the REST call requires it...
+ //expandedURL = expandedURL.replace("%OLD_PASSWORD%",
StringEscapeUtils.escapeHtml(oldPassword)); // expand and encode %OLD_PASSWORD%
final URI requestURI = new URI(expandedURL);
final HttpGet httpGet = new HttpGet(requestURI.toString());
@@ -470,7 +475,7 @@
LOGGER.debug(pwmSession, "response from http rest request: " + httpResponse.getStatusLine());
LOGGER.trace(pwmSession, "response body from http rest request: " + responseBody);
} catch (Exception e) {
- final String errorMsg = "unexpected error during recpatcha API
execution: " + e.getMessage();
+ final String errorMsg = "unexpected error during http rest
request: " + e.getMessage();
LOGGER.error(pwmSession, errorMsg);
}
}
Original comment by rjaf...@gmail.com
on 20 Aug 2013 at 11:52
This issue would be more aptly titled:
"URLEncode PWM Macro values when used to construct HTTP requests."
Original comment by rjaf...@gmail.com
on 21 Aug 2013 at 12:01
From my point of view, this issue has been solved in the last release of PWM.
Original comment by grapesh...@gmail.com
on 9 Oct 2013 at 9:45
Original issue reported on code.google.com by
kbore...@smith.edu
on 30 Jan 2013 at 5:47