search

pglombardo / PasswordPusher

🔐 Securely share sensitive information with automatic expiration & deletion after a set number of views or duration. Track who, what and when with full audit logs.
https://docs.pwpush.com
Apache License 2.0
2.08k stars 359 forks source link

Whitespace stripping in passwords #196

Closed rev138 closed 3 years ago

rev138 commented 3 years ago

Our PasswordPusher instance seems to be stripping/condensing multiple whitespace characters in passwords.

For example, this text entered into the form:

there are two spaces before the period  .

Becomes the following text displayed by the resulting link:

there are two spaces before the period .

Obviously, this is bad behavior for password handling. It led to a several hours of tail-chasing at my workplace this morning :(

Thank you for your efforts.

pglombardo commented 3 years ago

Thanks for letting me know @rev138. I just tried to reproduce on the latest and even prior deploys from last month and it happens on both. I'll figure out the root cause and update soon.

pglombardo commented 3 years ago

The good news is that this was a display issue only because of a CSS oddity with white-space collapsing.

Screen Shot 2021-06-08 at 7 54 08 PM

I have a fix on the staging site and will deploy to pwpush.com shortly. Give it a try and let me know: https://pwp-stage.herokuapp.com/p/lxs8nylvzgousi81

Apologies for the time burnt with this issue - it was an unexpected one for sure.

pglombardo commented 3 years ago

The fix is released on pwpush.com. That should cover everything. If anything remains, feel free to open another issue. Thanks for reporting.