We have moved to Github. Please open tickets there.

Opened 4 years ago

Closed 13 months ago

Last modified 12 months ago

#1301 closed Defect (fixed)

passwords should not be filtered on input

Reported by: cash Owned by:
Priority: high Milestone: Elgg 1.8.4
Component: Core Version: 1.6
Severity: major Keywords:
Cc: brettp, steve@… Difficulty:

Description

This has significant effects if authenticating against external source - whether slaving Elgg to another app or using something like ldap.

Change History (13)

comment:1 Changed 3 years ago by brettp

  • Milestone changed from Elgg 1.7 to Elgg 1.8
  • Priority changed from minor to major
  • Type changed from unconfirmed defect to confirmed defect

comment:2 Changed 3 years ago by ewinslow

  • Milestone changed from Elgg 1.8 to Elgg 1.8.1

comment:3 Changed 16 months ago by cash

  • Milestone changed from Elgg 1.8.x to Elgg 1.8.4

comment:4 Changed 15 months ago by brettp

This can break existing logins. Appropriate for a bugfix release?

comment:5 Changed 15 months ago by ewinslow

Do we have a workaround for those cases?

comment:6 follow-up: Changed 15 months ago by brettp

A few options:

  1. Upon login, check for passwords that would be changed by filtering and let them pass through with a prompt to change the password.
  2. Check for bad passwords upon login, force reset the password.
  3. Do nothing, expect users to reset their password when they can't log in.

comment:7 Changed 15 months ago by cash

This is a bug. It seems fixing it in a bugfix release is appropriate.

Here's the main issue: those who use external authentication (like LDAP) need the actual password. Someone posted in the community forums about having trouble with this recently which motivated me to schedule this. This is really hard to track down, too.

Because we cannot assume a site is using the built-in password checking, we cannot force a password reset or let a user in if the password fails. This leaves the options:

  1. Let a user reset the password (maybe letting the user know they need to reset their password)
  2. Add an admin notice that has the user's username so the admin can assist the user

We had about 3K users before the first time someone reported being unable to log in. That makes me think that most people do not use <> characters in their passwords.

comment:8 in reply to: ↑ 6 ; follow-up: Changed 15 months ago by mrclay

  • Cc steve@… added

Replying to brettp:

  1. Upon login, check for passwords that would be changed by filtering and let them pass through with a prompt to change the password.

Define "pass through" and "bad passwords"?

  1. Do nothing, expect users to reset their password when they can't log in.

Although a bummer for some users, I think this is the only option that isn't going to require storing a flag and generate a lot of messy code that we'd have to keep for a long time. E.g. consider this 4th option:

Capture the login password as both $unescaped and $filtered. If the user has a flag, use $unescaped to verify the hash. If not, check that $filtered matches the hash and that $unescaped passes the password validation. If so, hash and store $unescaped and store the user flag. If $unescaped is suddenly not a valid password (a case like "abc&"), initiate a password reset.

Good: most users won't even notice. Bad: more complexity, need for flag storage, seals in messy code.

Fun Aside: The password "a&<bcd1234>" (a very strong password!) is filtered to "a&amp;", which (currently) passes the 6-char minimum, letting you log in with just "a&" :)

comment:9 in reply to: ↑ 8 Changed 15 months ago by brettp

Replying to mrclay:

Replying to brettp:

  1. Upon login, check for passwords that would be changed by filtering and let them pass through with a prompt to change the password.

Define "pass through" and "bad passwords"?

"pass through" == "login"
"bad passwords" == "passwords that would be escaped"

  1. Do nothing, expect users to reset their password when they can't log in.

Although a bummer for some users, I think this is the only option that isn't going to require storing a flag and generate a lot of messy code that we'd have to keep for a long time.

Cash convinced me this is the way to go. I'm planning do this with a system_message() call for the user.

Capture the login password as both $unescaped and $filtered. If the user has a flag, use $unescaped to verify the hash. If not, check that $filtered matches the hash and that $unescaped passes the password validation. If so, hash and store $unescaped and store the user flag. If $unescaped is suddenly not a valid password (a case like "abc&"), initiate a password reset.

Good: most users won't even notice. Bad: more complexity, need for flag storage, seals in messy code.

Yeah I agree the bad outweighs the good on this one.

Fun Aside: The password "a&<bcd1234>" (a very strong password!) is filtered to "a&amp;", which (currently) passes the 6-char minimum, letting you log in with just "a&" :)

I'll use that for my tests ;)

comment:10 Changed 15 months ago by brettp

What about another option: An upgrade to add a persistent admin notice saying we've changed how passwords are handled and it could affect a small number of users who should reset their password if they can't log in. We wouldn't have to keep any extra code around in core for that at all.

comment:11 Changed 15 months ago by ewinslow

Posting an admin notice sounds like sufficient notification about this.

comment:12 Changed 13 months ago by Brett Profitt

  • Resolution set to fixed
  • Status changed from new to closed

Fixes #1301. Not filtering passwords.

Changeset: 8aad9f081b9fd83f8cd8358547234fbdcdaf9611

comment:13 Changed 12 months ago by Brett Profitt

Fixes #1301. Not filtering passwords.

Changeset: 8aad9f081b9fd83f8cd8358547234fbdcdaf9611

Note: See TracTickets for help on using tickets.