Password request in profile edit does not take special characters

test--- · April 08, 2006, 04:22:43 PM

I have special characters in my password to make it more difficult to guess, and I can log in with this password without trouble, but in the profile page, when I tried to change my display name, I encountered an "Incorrect password" error. I never got this problem when I used a simpler password, so I ascertain that it's a result of a the characters I use. If it would help, in a PM I can give the two characters that I believe are in question to an administrator.

winrules · April 08, 2006, 05:44:22 PM

Quote from: test--- on April 08, 2006, 04:22:43 PM
I have special characters in my password to make it more difficult to guess, and I can log in with this password without trouble, but in the profile page, when I tried to change my display name, I encountered an "Incorrect password" error. I never got this problem when I used a simpler password, so I ascertain that it's a result of a the characters I use. If it would help, in a PM I can give the two characters that I believe are in question to an administrator.

I've noticed this too. I thought it was just I kept getting my passoword wrong or something, but now that its happened at several different SMF sites and I saw this, I think it's a SMF bug.

test--- · April 12, 2006, 06:21:15 PM

Yeah, it's definitely a bug then. I tried multiple times. But, again, my password works everywhere else, so that's wierd.
The coding for password authentication must have changed between the times when those login boxes were made.

winrules · April 13, 2006, 04:52:42 PM

Quote from: test--- on April 12, 2006, 06:21:15 PM
Yeah, it's definitely a bug then. I tried multiple times. But, again, my password works everywhere else, so that's wierd.
The coding for password authentication must have changed between the times when those login boxes were made.

Yeah, I'll look at the code and see if I can find anything, I'd really like to see this fixed.

winrules · April 15, 2006, 09:44:50 AM

Could you please change the topic title to something like [BUG]Password request in profile edit does not take special characters, it might get more attention that way as it doesn't seem to be getting any right now.

Dannii · April 15, 2006, 09:46:57 AM

Which version of SMF?

winrules · April 15, 2006, 11:02:17 PM

Quote from: eldacar on April 15, 2006, 09:46:57 AM
Which version of SMF?

I use 1.1RC2, I remember having a problem with it in 1.0.x.

winrules · April 18, 2006, 04:34:55 PM

Please, can someone take a look at this, it makes it very hard to change anything in account releated settings...

H · April 18, 2006, 04:37:23 PM

Which special characters?

winrules · April 18, 2006, 04:44:43 PM

Quote from: huwnet on April 18, 2006, 04:37:23 PM
Which special characters?

just a "&"

Thantos · April 18, 2006, 05:09:34 PM

I was able to change my password and log in with an & character on the 1.1 cvs and 1.1 RC2.

winrules · April 18, 2006, 05:16:35 PM

Quote from: Thantos on April 18, 2006, 05:09:34 PM
I was able to change my password and log in with an & character on the 1.1 cvs and 1.1 RC2.

try the password "test&test" I tried it and it didn't work. (it always works to log in, just not to verify password in account releated settings)

Thantos · April 18, 2006, 05:26:03 PM

Ah I see what you are saying. You are right with the & in the pw it doesn't verify the password.

Thantos · April 18, 2006, 05:33:11 PM

To fix:
File: Profile.php
Find:

Code Select

		// Does the integration want to check passwords?
		$good_password = false;
		if (isset($modSettings['integrate_verify_password']) && function_exists($modSettings['integrate_verify_password']))
			if (call_user_func($modSettings['integrate_verify_password'], $user_profile[$memID]['memberName'], $_POST['oldpasswrd'], false) === true)
				$good_password = true;

		// Bad password!!!
		if (!$good_password && $user_info['passwd'] != sha1(strtolower($user_profile[$memID]['memberName']) . $_POST['oldpasswrd']))
			$post_errors[] = 'bad_password';

Add before

Code Select

		// Since the password got modified due to all the $_POST cleaning, lets undo it so we can get the correct password
		$_POST['oldpasswrd'] = addslashes(un_htmlspecialchars(stripslashes($_POST['oldpasswrd'])));

Harzem · April 18, 2006, 05:37:02 PM

Will a patch be released for that? Or will we just be silent until 1.1 Final or RC3

winrules · April 18, 2006, 05:38:27 PM

Quote from: Thantos on April 18, 2006, 05:33:11 PM
To fix:
File: Profile.php
Find:
Code Select Expand
// Does the integration want to check passwords? $good_password = false; if (isset($modSettings['integrate_verify_password']) && function_exists($modSettings['integrate_verify_password'])) if (call_user_func($modSettings['integrate_verify_password'], $user_profile[$memID]['memberName'], $_POST['oldpasswrd'], false) === true) $good_password = true; // Bad password!!! if (!$good_password && $user_info['passwd'] != sha1(strtolower($user_profile[$memID]['memberName']) . $_POST['oldpasswrd'])) $post_errors[] = 'bad_password';
Add before
Code Select Expand
// Since the password got modified due to all the $_POST cleaning, lets undo it so we can get the correct password $_POST['oldpasswrd'] = addslashes(un_htmlspecialchars(stripslashes($_POST['oldpasswrd'])));

Thanks a ton, thantos

Thantos · April 18, 2006, 05:52:09 PM

Quote from: HarzeM on April 18, 2006, 05:37:02 PM
Will a patch be released for that? Or will we just be silent until 1.1 Final or RC3

It'll be covered in the next release of 1.1

News:

Password request in profile edit does not take special characters

test---

test---