search

ucphhpc / migrid-sync

MiGrid workspace where master branch is kept strictly in sync with SF upstream svn repo. Any development or experiments should use a branch. You probably want to fork your own clone or work e.g. on the edge branch if you wish to contribute.
GNU General Public License v2.0
3 stars 3 forks source link

reqpwreset.py is case-sensitive - can silently reject valid pw reset requests #31

Closed aputtu closed 7 months ago

aputtu commented 7 months ago

Requesting a password reset can fail, if email address provided in reset request has uppercase letter(s). It silently fails, meaning that user do not receive notification.

Since Migrid seems to lowercase transform email addresses provided at sign-up, and during password request checks for match with case-sensitivity, it can cause silent rejection when persons request password reset.

Steps to reproduce:

  1. Sign-up with providing email address. It shouldn't matter if address contains letter(s) upper-/lowercase letter, assuming that they are stored in lowercase no matter what. Say you sign up with EmailAddress@Domain.Com, it is assumed it get converted to emailadress@domain.com
  2. Visit password reset function in webinterface. Retype EmailAddress@Domain.Com (identical to signup) and request renewal.

Suggestions for added admin/support :

jonasbardino commented 7 months ago

Thanks for reporting it @aputtu. The issue including log warning on no match should be resolved in svn rev5893 and the corresponding git revisions here.

jonasbardino commented 7 months ago

Additional robustness fixes for ancient versions of cryptography were added in svn rev 5894 and the corresponding git versions.