search

thm-projects / arsnova-customization

0 stars 1 forks source link

password in resetPassword() not URL encoded #1

Open dgerhardt opened 8 years ago

dgerhardt commented 8 years ago

@rillke (thm-projects/arsnova-mobile#66):

I'd like to apologize for reporting here as it is a customization issue; it seems to be impossible for me to get an account at https://git.thm.de

In https://git.thm.de/arsnova/arsnova-customization/blob/master/src/main/webapp/account.html#L280 it seems you send the new password not url encoded. Users may type %20 or similar in their passwords and do not expect they have to fill a white space at next login time. To mitigate this issue, I suggest e.g. copying jQuery.post. It takes care of this and a lot more, e.g. the issue reported in thm-projects/arsnova-backend#36

On arsnova.eu, there is additionally (b.) the issue that the reset button is greyed out and (c.) you are redirected to https://arsnova.thm.de/blog/ after logging in.

Steps to reproduce on arsnova.eu:

Go to https://arsnova.eu/mobile/ Press Dozent/in Press ARSnova Register and reload this page (F5). Click "Passwort vergessen" and get a reset link Open the reset link from your inbox You can fill in passwords now but you can't submit the form. (b.) Fill in no%20Space as the new password in both fields. Open a DOM inspector and remove the disabled attribute from the submit button. Submit the form. Now enter your e-Mailaddress and no Space as the password (a.) and submit. You end up at https://arsnova.thm.de/blog/ (c.)

dgerhardt commented 8 years ago

Thank you for reporting this issue.

it seems you send the new password not url encoded. [...] On arsnova.eu, there is additionally (b.) the issue that the reset button is greyed out and (c.) you are redirected to https://arsnova.thm.de/blog/ after logging in.

(a) and (c) have been fixed. Regarding (b): The button was only disabled if the password contained URL-encodable characters?

Rillke commented 8 years ago

I can't reproduce (b) anymore but are still redirected to https://arsnova.thm.de/blog/ when coming from the password-reset link which is sent by e-Mail after switching to the log-in form and doing the log in.

I guess this is because https://arsnova.eu/ redirects there and the reset password link contains no redirect target. It looks like this: https://arsnova.eu/thm/account.html?action=resetpassword&username=e@example.com&key=someChars