Open Avarjana opened 9 months ago
It is decided to not to allow *
, ?
, %
characters in the username (Refer the comment)
In the password recovery flow is, when the user entered the username it get encoded from the username-resolver.jsp
[1] before sending the username to the BE.
So when the username includes special characters(wild card) it adds escape characters to the username.
Due to that reason the system cannot search the user from the UM_USER table since it uses =
operator in the query where it tries to find the exact match for the given username[2]
[1] - https://github.com/wso2/identity-apps/blob/40832fe050d89b898017b1f70b0bcf7a06840228/identity-apps-core/apps/recovery-portal/src/main/webapp/includes/username-resolver.jsp#L28 [2] - https://github.com/wso2/carbon-kernel/blob/eadf79ed01140d1a41d64f56be8281147b7e4071/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java#L1289
All the fixes are deployed in the product-is. Hence closing the issue. Tested artifact: https://wso2.org/jenkins/job/products/job/product-is/5024/
Reopening since the initial fix has been reverted https://github.com/wso2/carbon-kernel/pull/3796
There is an issue where the escape character causing the user listing function to misbehave.
I think it could be fixed with changing the escape here [1]
filter = filter.replaceAll("\\\\", "\\\\\\\\");
filter = filter.replaceAll("_", "\\\\_");
Reducing the priority as the original issue is fixed.
Describe the issue: For special character combinations in username, password recovery flow is not working. The cause could be with the changes introduced to manipulate the filter in https://github.com/wso2/carbon-kernel/blob/dd6a4e0bb6016120f4bef8870e107cce89a33d74/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java#L144.
How to reproduce:
xx!@#$%&'*+\=?^_.{|}~-.
and provide a valid email.Expected behavior:
Related issues: