search

sintaxi / surge

CLI for the surge.sh CDN
https://surge.sh
2.85k stars 136 forks source link

Bad Unicode password support #331

Open warningnonpotablewater opened 6 years ago

warningnonpotablewater commented 6 years ago

Surge can't handle long full Unicode passwords

How to reproduce:

  1. Create a fake account
  2. Remove the .netrc file to lost the password
  3. Recover the password with Forgot? (yes) from the CLI
  4. Change the password in the web interface to something like 󷨞ꦐ򝎦򼷌򬔕㣋񼺫󄝊󌔭󓅪𡫯𮋥򃙛򈴸򍜋𿓺񈁅򦣓썾󟸙򗴄򅫚񧏨𦉗幼񎿗򮐟򔃮󩉖񑹤󎾊󤹊򀞸󬮒𤽋􁛍􄰮񄵜򹹻󾕒񺨠򾟷𭼧󛫯󼮢󁭇𳃊﹙𔌫蘋𷕻򄚺􍸌񪫁󟽑󒵷񦢰󙩥󥇥󝌥񿌬󍏶񅊗򱄡񣔭񙯁𧔒񵴭򛼋򉁈󹣋􎚜󉘂󚚷󵗝򣉸񆯁񡣇𛵖󬸔򄘻󴆷􈃐򀫮񩄹󷛮񚟾򅛀𖋸񦡟񰪿򰱡󂬥񤿜񰺐򤡪񱵋𓢋򣈩󔑽񙑲򗸅𩝞񳏑򆸛򭡵𾪬𡘁󇊈񲐎𔱗𸻙􎠶񱧡񌢐󛇻񔵠񽖴𩸨􈐺󀗨􊘖򎺕񃒚𨢄𯻓򑁠􊠙򨖿𰎿𽍯󴅥􍙺񼄀򮍍􀏷񐓱𕆘𥙘􇩛󸋖󵴹򦑎𗥝򒮳񫽣򡵃󥙬󱖟󨗸󞺻񸆋踥󭛃凇򽪚󋃼􉋞񿍒񥞟葓󄭧񕒖򇳷򣆖𜋦􏅎󓷑񲧖𑥁󠙵󡯢󀐫񈽔􇐖񬄣񩍲󎳃򳒛𷈛򜵐􂓳𣣯󬼍𨌭󻼅񥤜򾥈򐷛򥩎򎓬🸲򞲊𳷧򖈢򯊅𥥃񯪃󬯇󧸉󈆲󺍌󅠚󸑌򅣲򺪴􃠁򈱪󞁔񟔮򯘲򐂬񍗁򍿕󃋕󱊪񅛍𾣫򑈰󃍡󺴚򝌅򭐐򾕉𨡙򩁋􋥁񼀯񗬓劇񞦶􎺹󰽵񸙌󃕵򏍱򶖖򷁲򱕨𭡇𻏔񺜈򔅞�𺠢򃂭񹱔𙜫񕼸󃮓􅏝񷛾􋓼񆵙𺩰 (not something like u_ìüP÷íA;À/®`~â¸ÓDºâ/¨¾î^fëÏwÑo]Hø5@¶Þ$ÊDÈ2f.m8À\ÍÇ»5ë¯T;ëéEbí]±+, it passes as it should)
  5. Try to log in using that password

Software I used: