View Issue Details

This bug affects 1 person(s).
 258
IDProjectCategoryView StatusLast Update
15655Bug reportsSecuritypublic2021-01-18 11:05
Reporterkclingerman Assigned Toc_schmitz  
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version3.21.1 
Summary15655: Special characters break passwords
DescriptionWhen trying to use a password with < in it, the string breaks at that character. For example if I have a password "C<SGBUxaCWt" set for the bounce user it will try to authenticate to the imap server with just "C" as the password.
Steps To ReproduceEnter a password for the bounce user with < in it and read the password back out.
TagsNo tags attached.
Bug heat258
Complete LimeSurvey version number (& build)Version 3.21.1+191210
I will donate to the project if issue is resolvedNo
Browser
Database type & version mysqlnd 5.0.12-dev - 20150407
Server OS (if known)Ubuntu 18.04.2 LTS
Webserver software & version (if known)Apache/2.4.29 (Ubuntu)
PHP Version7.2.24-0ubuntu0.18.04.1

Users monitoring this issue

User List There are no users monitoring this issue.

Activities

ollehar

ollehar

2019-12-13 14:30

administrator   ~55024

Last edited: 2019-12-13 14:31

View 2 revisions

Cannot reproduce with admin user. Changed my admin password to "asd<asd", logout, login, works. More details?

kclingerman

kclingerman

2019-12-13 14:33

reporter   ~55025

Thanks for the quick response. I did not try it with a user login, I tried and experienced the bug specifically when setting the password for the bounce email account.
ollehar

ollehar

2019-12-13 14:36

administrator   ~55026

Alright.
ollehar

ollehar

2019-12-13 16:34

administrator   ~55030

@kclingerman Can you give me a screenshot of the form you used to set the password, please?
ollehar

ollehar

2019-12-13 16:53

administrator   ~55031

Looks like it's by design to strip tags. @c_schmitz, do you remember the reasoning behind this? Been there forever.

```
        setGlobalSetting('bounceaccountuser', strip_tags(returnGlobal('bounceaccountuser')));
```
ollehar

ollehar

2019-12-13 16:54

administrator   ~55032

Need to inform the user about this security measure, or change it, e.g. escape tags instead of stripping them.
c_schmitz

c_schmitz

2021-01-13 11:16

administrator   ~61527

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30842
c_schmitz

c_schmitz

2021-01-13 11:25

administrator   ~61529

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30844
c_schmitz

c_schmitz

2021-01-13 11:27

administrator   ~61530

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30843
lime_release_bot

lime_release_bot

2021-01-18 11:05

administrator   ~61579

Fixed in Release 3.25.8+210118

Related Changesets

LimeSurvey: 3.x-LTS e811a857

2021-01-13 11:16:45

c_schmitz

Details Diff
Fixed issue 15655: Cannot set SMTP/bounce password containing certain characters Affected Issues
15655
mod - application/controllers/admin/globalsettings.php Diff File
mod - application/controllers/admin/tokens.php Diff File
mod - application/views/admin/token/bounce.php Diff File

LimeSurvey: master 2352619a

2021-01-13 11:16:45

c_schmitz

Details Diff
Fixed issue 15655: Cannot set SMTP/bounce password containing certain characters Affected Issues
15655
mod - application/controllers/admin/globalsettings.php Diff File
mod - application/controllers/admin/tokens.php Diff File
mod - application/views/admin/token/bounce.php Diff File

LimeSurvey: 3.x-LTS 9dc61667

2021-01-13 11:21:15

c_schmitz

Details Diff
Fixed issue 15655: Cannot set SMTP/bounce password containing certain characters Affected Issues
15655
mod - application/controllers/admin/tokens.php Diff File

Issue History

Date Modified Username Field Change
2019-12-12 19:57 kclingerman New Issue
2019-12-13 10:33 cdorin Assigned To => cdorin
2019-12-13 10:33 cdorin Status new => assigned
2019-12-13 14:19 ollehar Assigned To cdorin => ollehar
2019-12-13 14:30 ollehar Status assigned => feedback
2019-12-13 14:30 ollehar Note Added: 55024
2019-12-13 14:31 ollehar Note Edited: 55024 View Revisions
2019-12-13 14:33 kclingerman Note Added: 55025
2019-12-13 14:33 kclingerman Status feedback => assigned
2019-12-13 14:36 ollehar Note Added: 55026
2019-12-13 16:34 ollehar Note Added: 55030
2019-12-13 16:34 ollehar Status assigned => feedback
2019-12-13 16:53 ollehar Note Added: 55031
2019-12-13 16:54 ollehar Note Added: 55032
2019-12-16 10:32 c_schmitz Assigned To ollehar => c_schmitz
2021-01-13 11:16 c_schmitz Changeset attached => LimeSurvey 3.x-LTS e811a857
2021-01-13 11:16 c_schmitz Note Added: 61527
2021-01-13 11:16 c_schmitz Resolution open => fixed
2021-01-13 11:21 c_schmitz Status feedback => resolved
2021-01-13 11:25 c_schmitz Changeset attached => LimeSurvey 3.x-LTS 9dc61667
2021-01-13 11:25 c_schmitz Note Added: 61529
2021-01-13 11:27 c_schmitz Changeset attached => LimeSurvey master 2352619a
2021-01-13 11:27 c_schmitz Note Added: 61530
2021-01-18 11:05 lime_release_bot Note Added: 61579
2021-01-18 11:05 lime_release_bot Status resolved => closed